How to completely bypass authentication on RushOrderTees
Published on , 271 words, 1 minutes to read
Just don't enter a password lol
While evaluating RushOrderTees for a previous employer, an embarrassing security vulnerability was discovered. User accounts created inside their t-shirt designer do not have a password attached to them, allowing anyone to authenticate with only an email address. This allows disclosure of at least this information:
- Full name on any orders
- Any custom designs
- Order id numbers
- Phone numbers when placing new orders
This was proven by attempting to log into a RushOrderTees company account using a publicly visible email address.
Replication
RushOrderTees has not acknowledged this issue and it is still trivial to reproduce it today:
- Create a new design
- Attempt to purchase it
- Save it with a custom name
- Enter in your email address
You have now created a RushOrderTees account without a password attached.
Explanation
This lapse in security is understandable from a customer acquisition standpoint (every barrier in the way of users paying makes you lose half of your potential customer base), but is fairly inexcusable in 2024. Additionally, by making user accounts only protected with email addresses (public identifiers), this bypasses the entire point of authentication. It is difficult to figure out if this is a design choice or a security issue.
Timeline
- 2024-04-15: Initial contact made to Rushordertees' sales@ and security@ email. The security@ email bounced.
- 2024-04-16: Reduction in scope of the issue and complete replication instructions discovered.
- 2024-04-17: Various other attempts were made to get their attention, all ended in failure.
- 2024-09-20: This bulletin was posted.
Rushordertees has not acknowledged this bulletin and did not review it prior to publishing.
Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.
Tags: