alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~262~~	Closed	~~Email Normalization Bypass Allows Multiple Accounts Wit~~ ...	kalihunter001_	Task Description Summary The application fails to normalize Gmail addresses during signup. Gmail treats email variations involving dots (.) and plus tags (+) as the same address, but the website processes each variation as a unique account. As a result, an attacker can register unlimited accounts using a single Gmail inbox, bypassing restrictions such as: one-user-per-email free trial limits referral abuse promo codes account creation throttling Proof of Concept (PoC) Step 1 Sign up with a real Gmail address Email: kalihunter001@gmail.com → Receive verification code. Step 2 Sign up again using a dot variation Email: ka.lihunter001@gmail.com → Also receive confirmation email in the same inbox. Impact An attacker can: Create unlimited fake accounts Abuse free trials or credits Abuse referral or promo systems Circumvent limits on number of accounts per user Spam the system with mass-registered accounts Evade anti-fraud mechanisms Potentially escalate privilege in systems that trust email uniqueness This is a Business Logic Vulnerability that can directly affect revenue, analytics, and operational integrity. Recommendation (Fix) Normalize email addresses before storing or checking uniqueness: Remove dots from Gmail usernames Strip anything after + in the username Convert to lowercase Convert googlemail.com to gmail.com Enforce uniqueness on normalized email Example normalized form for all Gmail inputs: kalihunter001@gmail.com POC ATTACHED BELOW Regards Kali Hunter

~~262~~

Closed

~~Email Normalization Bypass Allows Multiple Accounts Wit~~ ...

Task Description

Summary The application fails to normalize Gmail addresses during signup. Gmail treats email variations involving dots (.) and plus tags (+) as the same address, but the website processes each variation as a unique account.

As a result, an attacker can register unlimited accounts using a single Gmail inbox, bypassing restrictions such as:

one-user-per-email
free trial limits
referral abuse
promo codes
account creation throttling
Proof of Concept (PoC)

Step 1 Sign up with a real Gmail address Email: kalihunter001@gmail.com → Receive verification code. Step 2 Sign up again using a dot variation Email: ka.lihunter001@gmail.com → Also receive confirmation email in the same inbox.

Impact An attacker can:

Create unlimited fake accounts
Abuse free trials or credits
Abuse referral or promo systems
Circumvent limits on number of accounts per user
Spam the system with mass-registered accounts
Evade anti-fraud mechanisms
Potentially escalate privilege in systems that trust email uniqueness
This is a Business Logic Vulnerability that can directly affect revenue, analytics, and operational integrity.

Recommendation (Fix) Normalize email addresses before storing or checking uniqueness:

Remove dots from Gmail usernames
Strip anything after + in the username
Convert to lowercase
Convert googlemail.com to gmail.com
Enforce uniqueness on normalized email
Example normalized form for all Gmail inputs: kalihunter001@gmail.com POC ATTACHED BELOW

Regards Kali Hunter

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task