Make Multiple Accounts with Same Email

[kkshitish9]

Hello Team,

I discovered new kind of vulnerability where you can make the Singup process verification pointless.

Here How

Description:

You can create multiple accounts with one email id. If you have already used [email protected] then, you can reuse this email like this way: [email protected], [email protected] and so on... Again and Again with +

This + is google account feature. My point is that when you use this method the signup OTP process become pointless. I mean you put OTP feature during signup to stop spam accounts but this method make this OTP feature pointless because you can use same email again & again.

Steps To Reproduce:

1. Create an Account
2. Put used email id with +
3. Verify the email

Explain:

Let suppose you used this email id: [email protected] in Twitter and you want to make one more account with same email address then, you can resuse it again through this way: [email protected] and you can do it again and again like this time you can use [email protected] and so on...

You can creat n numbers of account with same email id make Singup OTP feature pointless because it can't stop to making attacker spam or bot accounts

Fix

Do not allow any special characters in the email bar only allow @

Impact

Fake accounts easy create and make OTP signup feature pointless

Let me know your responses on this ?

Thank you

[cpholguera]

This is more the concern of https://github.com/OWASP/ASVS. I'd suggest to post it there, if it isn't already included. Thank you!