Automattic: Follow by email allows for following by unverified emails

2019-12-20T07:25:15
ID H1:762121
Type hackerone
Reporter godofdarkness_msf
Modified 2020-01-14T17:15:08

Description

The initial report outlined being able to add any email to a Tumblr account without verifying it first which is expected behavior that does not pose a security risk. However, the reporter also reported that these unverified emails were able to be used in our “follow by email” feature which we did consider to be a security risk. Our fix was to disallow follow by email for unverified emails.