Introduction

Hello! I’m Himanshu—a security researcher, cybersecurity enthusiast, bug bounty hunter, and web developer. Of course, these are just fancy titles 😅😁, but all I have the talent and passion for is these things, especially cybersecurity—that's my love ❤️.

If you haven’t read my previous blogs, go check them out: My Blogs.

Today, I got my first Hall of Fame as an individual security researcher! 🎉

And guess what? This bug wasn’t the result of long hours of intense hunting. It was just a tiny alarm in my head when I noticed something suspicious while using a platform for personal use. 😅🤣😁

How I Found the Bug

If you’ve read my previous blogs, you know about my journey, struggles, and experiences. Coming to the present—I was using platform to hunt for a job as a web developer. I didn’t even remember creating an account on the platform in the past, but when I tried signing in, it asked me to verify my email. So, I received a verification link in my email inbox.

Now, here’s an important habit of mine—I always use Incognito Mode for logging in because I don’t like saving unnecessary history and cache. So, my account was logged in on Incognito, but my email was open in the normal browser.

I clicked the verification link from my email, and guess what?

✅ My email was verified—without even checking if my account was logged in or not!

All it used was a simple query parameter in the URL:
?email=email@mail.com

That’s it! My email got verified.

And at that moment, my bug bounty hunter instincts kicked in.

💡 Wait… it verified my email without requiring any session, cookie, or authentication?!

I immediately decided to confirm my suspicion by testing it further.

Digging Deeper

I registered a separate test account and followed the usual process.

1️⃣ During registration, the email verification step was at the end, requiring an OTP sent to the email.

2️⃣ Instead of entering the OTP, I used the same vulnerable URL and replaced the email parameter with my test email.

3️⃣ BOOM! The email got verified without needing access to the inbox or the OTP.

Reproduction Steps

1. Register an account as a victim using the victim’s email address.

2. Fill in the mandatory details until reaching the email verification step.

3. Instead of entering the OTP, use the vulnerable verification URL with the victim’s email.

4. The email gets verified without OTP or access to the actual email inbox.

5. The attacker is now inside the account, and the dashboard shows the email as verified.

Impact of the Bug

This was a serious abuse-prone vulnerability because:

• 🚨 An attacker could register mass accounts using random email addresses.

• 🚨 The system would mark these accounts as verified, leading to potential spam, impersonation, or fake profiles.

• 🚨 Legitimate users couldn’t register later using their email if an attacker pre-registered it.

Disclosure & Fix

I quickly reported this issue to platform, and they patched it within two days. 🔥

The fix implemented:

✅ The email verification step was moved to the first step of registration.

✅ The core issue was patched, so an email could not be verified without completing the proper OTP process.

After retesting, I confirmed that the bug was fully resolved.

Final Thoughts

This experience reminded me of one simple truth:

💡 "Nothing is ever truly safe in the cyber world—everything is vulnerable at some point."

Hall of Fame: https://help.wellfound.com/article/814-bugs

This was an awesome learning experience, and I’m excited to keep pushing forward in my cybersecurity journey.

💀 Happy Hunting! 🔎🎯🔥