For security reasons, we consider "Target app", as the target we practiced on, and the real name won't be disclosed in this post.
The target app, was a niche music streaming platform, available in web and mobile PWA, meaning the structure is same but access is easier for cross platform.
The app worked in this way :
- You register using an account, 3rd party like google or via email
- After that you can use the app for free with a 3 day window (3 day trial)
- After the 3 day you gotta buy subscription to continue listening
The flaw, existed in the first step, when you register using an email, no verification happens! You could enter any type of string@something.com, a random password and start your free trial.
So what happens is that first I use string1@something.com, for 3 days. When the time runs out, I use string2@something.com for another 3 days. And since the app's trial and actual subscription don't have any difference, and the 3 day time window is the only limitation, the user with such knowledge from the app doesn't need to buy any subscriptions while such flaw exists!
Mitigation:
- Apply email verification step after user input, so they have to use the received link to verify their address
- Blacklist "temporary email" service's address or IPs, so users won't generate any email to register after their trial has expired.
This way, the registration process isn't too complex while keeps app from attackers avoiding a "For ever free" usage on the app.
Top comments (1)
The disposable-domain blocklist holds up for a while, but the cheaper bypass here isn't even temp-mail — it's plain Gmail. string+1@gmail.com, string+2@gmail.com, or just shuffling a dot (str.ing@ and string@ land in the same inbox) all look like distinct accounts, and you're never going to blocklist gmail.com. So canonicalize the address before you check anything — strip the +suffix and the dots for providers that alias — which collapses those back to one identity, then let domain/IP risk scoring catch the actual throwaway services on top. ipasis.com/scan is handy for eyeballing how a given email or IP classifies while you tune that.