Core Concepts
Improper authentication implementation in a UK government website's registration process allowed an attacker to bypass email verification and gain unauthorized access to an admin account.
Abstract
The author discovered a vulnerability in the registration process of a UK government website that allowed bypassing email verification. The key insights are:
The website had a registration page where users could create accounts and manage their data, including signing up for newsletters, courses, and competitions.
During the registration process, the website sent an email confirmation with a token ID and username.
The author observed that the token ID was easily guessable, as it only differed by a single digit between different user accounts.
By crafting a guessable URL with the predicted token ID, the author was able to bypass the email verification process and gain access to an admin account (admin@gov.uk) without having the actual email address.
This vulnerability allowed the author to effectively pre-take over the admin account, demonstrating a significant security flaw in the website's authentication implementation.
The author reported the issue and is awaiting the team's confirmation and further updates.
Stats
www.redacted.com/Webaccount?SignupID=NHKS-001026912_075&LDAP_account=victim_user
www.redacted.com/Webaccount?SignupID=NHKS-001026913_075&LDAP_account=attacker_account
www.redacted.com/Webaccount?SignupID=NHKS-001026914_075&LDAP_account=admingovuk
Quotes
"Even though it's just a pre-account takeover, the guessable API token affected the whole registration functionality. As a result, I was logged in as admin@gov.uk."