Email verification not required

State Resolved in
August, 2021
Issue ID rXv2z3OpAd56UgEdnXL
Asset Web application
Bounty $800
Reported in August, 2021
Reporter Usama Varikkottil
Severity Medium
Visibility Complete
Weakness CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User

Description

Administrator invites regular user to workspace. After acceptance, invited user can change their role using this functionality.

Step-by-step Scenario

  1. 3 users are in the same workspace (owner, regular user and invited user as admin)
  2. Regular user duplicates and configures the same email as invited user
  3. Following email configuration, regular user sends API request to confirm the change to their regular email
  4. Regular user can now promote themselves to administrator role

Expected

Users should be unable to avoid email verification.