Business Logic issue in notification
INDEX
· Introduction about functionality
· Proof Of Concept
· Vulnerability
· Recommendation
· Introduction about functionality
I am working on website let’s call it “somesite.com”. The website requires a paid plan to use it but it also provides 15 days trial account so that you can evaluate the functionality.After the expiration of trial many functionalities gets disabled such as notifications of the incidents gets disabled after the expiration of trial.
There are three ways which “somesite.com” uses to send the notifications.
a) On your account screen:You will get the notifications on the UI as popups
b) By Email: You will receive the notifications on you registered email.
c) By SMS: You will receive the notifications on your registered mobile number.
My trial had been expired. So as I login in my expired account it prompts a message like this.
“Your “somesite.com” trial has been EXPIRED! All notifications are Now
Disabled”
· Proof Of Concept
- Login to your account and you will get a popup notification stating that “all notification disabled”.
2. To check whether the notifications are disabled I created an incident.
3. Mark this incident as resolved or assigned.
4. You will see that you are getting the notifications on UI and on the emails as well. But as the message we have got in step 1 all notifications are disabled.
From above screen shots we can clearly see that I am getting notification
from expired account.
· Recommendations
Disabled the notification for expired account
· Reward
“Somesite.com” doesn’t have a bug bounty program but they rewarded me
swag for this issue.
