Email addresses are stored as
VARCHAR(128). However, Phabricator does not verify the length of an email address upon registration. This allows attackers to bypass the allowed email-domains defined in
Exploiting this is rather straightforward: get an email address of 128 characters long (This StackOverflow answer indicates that the maximum length of an email address is 254 characters). Now register with your 128 character email address with
@allowed-domain.com appended to it. The
@allowed-domain.com part will be truncated because MySQL can’t store it, and you will receive a verification email on your 128 character email address.
This is especially easy if you’re using a Gmail address: if you own
firstname.lastname@example.org, you’ll also receive any mails sent to