Reclassification and Addition Request: Lack of Email Confirmation on Email Change Variants #477
Description
Reclassification and Addition Request: Lack of Email Confirmation on Email Change Variants
Dear Bugcrowd VRT Team,
I would like to propose a new VRT entry under:
Category: Server Security Misconfigurations
Subcategory: Lack of Email Confirmation
Variant: Email Change
Proposed Variants:
P4: Email change without verification leads to pre-registration of victim user accounts (e.g., [email protected]), denying them future access.
P3: Email change to company emails (e.g., [email protected]) without verification enables impersonation, account takeover, and access through trusted domains.
Why This Matters:
-
The new email is accepted without confirmation, immediately replacing the original, even if the address isn't owned or accessible.
-
This leads to pre-account takeover and email-based identity abuse, especially impactful when company or admin addresses are used.
-
If 2FA is enabled before and after the change, the account becomes permanently locked, as the real user cannot reset the password.
-
No validation also breaks trust in workflows like password reset, notifications, or login alerts.
Recommendation:
Add the above scenarios as VRT variants. This misconfiguration has real-world impact and can be fully mitigated by requiring ownership confirmation before finalizing email changes.
Best regards,
RivuDon