I was registering on an e-commerce website (no, I\'m not gonna name it), when, d

Question

I was registering on an e-commerce website (no, I'm not gonna name it), when, due to my pentest nature, I captured the GET request for resending a confirmation email.

Kinda like: http://www.ecommerce.com/resend?email=someguy%40domain.com

What I noticed was, when I entered a registered email (on the website, my friend's account) as the GET request, I saw a blank page. When I entered an unregistered but existent email (my alternate email), i got redirected to the homepage, i.e. ecommerce.com

Is this a serious vulnerability? All it can tell is if someone is registered or not, but then again, a python script and you could process it all quite fast.

Should I report this?

Explanation / Answer

You are right in that is an information disclosure, someone can easily discover valid usernames and then try and crack their security. If I was the site owner I'd like to know about it. Ideally you would notify the site owner, they may have an email address for that or a contact us link you could use.

The one caveat is that some places have misguided anti-hacking laws which make even ethical hacking illegal. Germany is an example although in practice they don't seem to be chasing people for performing helpful acts. It's highly unlikely that any negatives would come from this, and who knows, they may even send you a t-shirt or pay your a bug bounty.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.