HackerOne: Able to create basic user account via Google login on HackerOne Drupal CMS

2017-02-23T12:59:58
ID H1:208407
Type hackerone
Reporter ishahriyar
Modified 2017-04-25T07:38:05

Description

Summary: Hi, I've found that hackerone.com has drupal installed and when I navigated to this URL https://www.hackerone.com/user/password Found "Log in" and "password reset option". When I clicked on login it redirected me to google login Then I login using my gmail account and it redirected to hackerone.com Then I requested to pasword reset and got link from email and able to acces the internal drupal

Description (Include Impact): Able to create a new account on that CMS.

Steps To Reproduce

  1. Navigate to this https://www.hackerone.com/user/password
  2. Click "Log in" using google account. 3.Again navigate to this https://www.hackerone.com/user/password

put the google mail and click on the request.

A one-time login link will be provided to that email

POC:(Unlisted) https://youtu.be/lBio9OZpLpM