usd-2021-0027 | E-mail verification Bypass in CleverReach Newsletter Service


Advisory ID: usd-2021-0027
Affected Product: CleverReach
Affected Version: Latest (as of 3rd May 2021)
Vulnerability Type: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Security Risk: Low
Vendor URLhttps://www.cleverreach.com/de/
Vendor Status: Fixed

Description

It was possible to register and verify arbitrary e-mail addresses for the newsletter.
The link for the registration confirmation and the link needed for the e-mail verification only differed in one letter.
Therefore, it was possible to craft the verification link without access to the e-mail account.

Proof of Concept (PoC)

After the form for the newsletter registration is completed, the user is redirected a confirmation page.
The link for the confirmation page looks like this:

https://eu2.cleverreach.com/f/259909-299451/wcs/1179069-fb4586c815f6a

The verification link sent via email only differs in one letter:

https://eu2.cleverreach.com/f/259909-299451/wss/1179069-fb4586c815f6a

By changing /wcs/ to /wss/ it is possible to register and verify arbitrary e-mails without having access to them.

Fix

The verification link should be unique and independent from the registration process.

Timeline

  • 2021-05-03: This vulnerability was identified by Nicolas Schickert.
  • 2021-05-07: Advisory submitted to vendor via e-mail.
  • 2021-05-25: Vendor states that they will be fixing this issue in a future version.
  • 2021-06-30: Vendor acknowledges behaviour and starts working on a fix.
  • 2021-11-22: Vendor informs about fix.
  • 2021-12-30: Vulnerability persists, details provided to vendor.
  • 2022-01-11: Vulnerability is fixed by vendor
  • 2022-07-15: Advisory is published.

Credits

This security vulnerability was identified by Nicolas Schickert of usd AG.