Sorry, we don't support your browser.  Install a modern browser

Do not allow users to enter the dashboard panel before verification (Broken Access Control vulnerability)#555

Email: [email protected]

Summary:
In this case, after registering using the victim’s email. The malicious user can link his account to the victim’s account (this website has a feature to link / connect accounts such as phantom, Coinbase, trust wallet etc.).

As a result of linking, a malicious user can still log into the victim’s account through other login menus (such as Coinbase, trust wallet, phantom).

Steps To Reproduce:

  1. The attacker registered using the victim’s email ([email protected])

  2. The attacker successfully registers and makes it to the dashboard panel

  3. The victim tries to register but is unsuccessful because his email has been used by the attacker with the caption (Email has been taken)

  4. The victim verifies his account using the email registered by the attacker.

  5. The attacker links his account (such as trust wallet)

  6. The victim manages to recover the password and log in to his account, but the victim does not realize that the attacker has linked his account to the victim’s account.

  7. The attacker can still control the victim’s account by logging in using the previously linked account.

18 days ago
Changed the status to
In Progress
18 days ago