Skip to main content

Email uniqueness not properly verified

Description

The system allows the plus character in the email registration process. An attacker could abuse this feature to create several accounts pointing to the same email.

Impact

Create multiple accounts with the same email.

Recommendation

The system must validate emails in such way that an inbox only can be associated or represent an account.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C
  • Score:
    • Base: 4.3
    • Temporal: 4.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Passwords should always be stored in encrypted values and never returned as plain text in a response

const registerUser = async (req, res, next) => {
  const { username, password, email } = req.body
  try {
    //The validation method also checks if the email already exists
    await User.validate({
      username,
      password,
      email,
    }).then(user =>
      res.status(200).json({
        message: "User successfully created",
      })
    )
    return user, password, email
  } catch (err) {
    res.status(401).json({
      message: "Something went wrong: User not created",
      error: error.mesage,
    })
  }
}

Non compliant code

There is no verification for duplicate emails

const registerUser = async (req, res, next) => {
  const { username, password, email } = req.body
  try {
    //The method does not check if the email is duplicated before creating a new user
    await User.validate({
      username,
      password,
    }).then(user =>
      res.status(200).json({
        message: "User successfully created",
      })
    )
    return user, password, email
  } catch (err) {
    res.status(401).json({
      message: "Something went wrong: User not created",
      error: error.mesage,
    })
  }
}

Requirements