alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~292~~	Closed	~~Security Finding Report: Free Trial Abuse via Email Ali~~ ...	ubaid_one	Task Description Hello Alwaysdata Security Team I would like to report a security vulnerability. Severity level: Medium Target: https://admin.alwaysdata.com Category: Business Logic Flaw Summary A business logic flaw was discovered in the user registration system that allows a single individual to register an unlimited number of free trial accounts using a single primary email address. This is achieved by exploiting the additional addressing feature (the "+" sign) in email providers like Gmail. Reproduction Steps Example accounts: laminasi0390@gmail.com (Primary Account) laminasi0390+2@gmail.com (Detected as a new account) laminasi0390+3@gmail.com (Detected as a new account) 1. Register and log in to the first account (primary account) using the email address: laminasi0390@gmail.com. Activate the free trial. 2. Register a second new account using the email address: laminasi0390+2@gmail.com. Check your inbox at laminasi0390@gmail.com. You will receive a verification email for the second account. Verify it and note that the free trial is valid for this "new" account again. 3. Register a third new account using the email address: laminasi0390+3@gmail.com. Check your inbox at laminasi0390@gmail.com. You will receive a verification email for the third account. Verify it and note that the free trial is valid for this "new" account again. 4. Repeat the process with +4, +5, and so on. Business Impact 1. Financial Loss: Users can continue to enjoy premium features without paying. 2. Resource Abuse: Server load increases due to serving duplicate accounts. 3. Abuse of unlimited free trials Recommended Fixes 1. Remove Aliases: Identify the + signs and delete all characters between them up to the @ sign. 2. Normalize email formats 3. Enforce uniqueness on canonical email values. 4. Optionally, block email aliases if they are not supported. Regards, Muchamad Alfian

~~292~~

Closed

~~Security Finding Report: Free Trial Abuse via Email Ali~~ ...

ubaid_one

Task Description

Hello Alwaysdata Security Team
I would like to report a security vulnerability.

Severity level: Medium

Target: https://admin.alwaysdata.com

Category: Business Logic Flaw

Summary
A business logic flaw was discovered in the user registration system that allows a single individual to register an unlimited number of free trial accounts using a single primary email address. This is achieved by exploiting the additional addressing feature (the "+" sign) in email providers like Gmail.

Reproduction Steps
Example accounts:
laminasi0390@gmail.com (Primary Account)
laminasi0390+2@gmail.com (Detected as a new account)
laminasi0390+3@gmail.com (Detected as a new account)

1. Register and log in to the first account (primary account) using the email address: laminasi0390@gmail.com. Activate the free trial.
2. Register a second new account using the email address: laminasi0390+2@gmail.com. Check your inbox at laminasi0390@gmail.com. You will receive a verification email for the second account. Verify it and note that the free trial is valid for this "new" account again.
3. Register a third new account using the email address: laminasi0390+3@gmail.com. Check your inbox at laminasi0390@gmail.com. You will receive a verification email for the third account. Verify it and note that the free trial is valid for this "new" account again.
4. Repeat the process with +4, +5, and so on.

Business Impact
1. Financial Loss: Users can continue to enjoy premium features without paying.
2. Resource Abuse: Server load increases due to serving duplicate accounts.
3. Abuse of unlimited free trials

Recommended Fixes
1. Remove Aliases: Identify the + signs and delete all characters between them up to the @ sign.
2. Normalize email formats
3. Enforce uniqueness on canonical email values.
4. Optionally, block email aliases if they are not supported.

Regards,
Muchamad Alfian

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing