Gratipay: Adding Used Primary Email Address to attacker account and Account takeover

ID H1:273647
Type hackerone
Reporter sandeepl337
Modified 2017-10-05T14:38:00



I just found that the Gratipay is vulnerable for adding used Primary Email Address to attacker account and Account takeover of the Gratipay.


I was looking at the source code of the application and I found that, "If the email address is already added in the X Gratipay account as primary email address, then the attacker can also add the in the Y Gratipay account".

The above attack can be achieved by using the add-email action and updating the address parameter with payload once you login to the account.

Steps To Reproduce

As you can see the line number 123 which is looking for the email address if it exists in the database.

Normal behavior - When user will use the it is exists in the database it will not allow you add the email address in the different account, according the Line number 123.

Attack - When the attacker try to add the which is already added into the other user's Gratipay account, however he can still add the other account's primary email into the attacker's Gratipay account as primary email.

Payload: action=add-email& all you need to append the %20 (%20 is treated as the space but below line 123 is considering as new email address)

Once the above line executed then line number 131 and the application will send verification link to the email address.

If the Victim's email address is stolen or the attacker have temporary access to the email, then attacker can create new account on the Gratipay and add the Victim's email address into this Gratipay account. The attacker will receive all the Payment related emails and using forgot my password attacker can takeover the account.


Kindly find the attached screen shot.


On the line number 314 the application updating the table without verifying that, "the requested email address is already exists in the database and assigned to other account".

The simple patch would be verifying the space encoding characters and also verifying the account is already exists in the database and assigned to the other account.

If you have any question or you need video PoC then let me know I'll prepare it separately.