Today's Episode Of How Not To Handle Logins

I was using a large retailers site. Was trying to complete my purchase and upon clicking submit it logged me out and then locked my account. Some sort of security theater run amok.

The extra kick in the pants was that I could discover that my account was locked out just by entering my email address. I did not have to enter a password. Information Leakage FTW.

Next, I did some more digging with my ability to create an infinite number of valid email addresses. I discovered with this site you can easily lock out accounts and then discover their existence. Account Enumeration FTW.

Finally, I checked their bug bounty. Guess what is out of scope? You guessed it. “Username / email enumeration via Login Page error message” several other login issues and a whole range of other potential issues.

Initially, I gave them the benefit of the doubt, thinking they made it out of scope because it was recently reported and they wanted to stop duplicates. Then I found this Out of Scope item, “Exfiltration of data.” I didn’t realize exfil is now a “feature.”

Benefit of the doubt, revoked. 😄

Pics or it didn’t happen: