Email Validation Bypass

Hello Everyone, I’m Hemdeep Gamit, I'm Security Researcher, I hope you’re all doing well, this my first article so please just do ignore my grammar as English is not my first language. So today I’m write this article about my last finding in which I’m able to bypass the email validation. So let’s start.

It’s an private program so I'm not disclose its name. As usual I’ve just started with walking through the application(Unauthenticated), visit some pages manually and just jump into the Sign Up page.

It allows user to enter full name , work email and password for Sign Up. After that an OTP sends to the email address which is provided by user. I enter all the details but in email field I've enter my Gmail address “myemail@gmail.com”. After that I click on Sign up button application doesn’t accept the personal mail and throw an error like below.

“Error: Please use you work email”

Now it’s time to test the validation :)

I just put work email as “myemail@GMAIL.com”

And the application accept the email and sends an OTP on that mail. LOL. The application only validate the corporate domains and personal mail address in lowercase only.

Stay Safe. Thank you for reading. :)