Email Verification Bypass Allows Users to Add & verify Any Email As Guardians Email

1. Go to https://www.khanacademy.org/signup and signup as learner keeping date of birth below 13 years. {F1821117} 2. Now keep victims email as parent's email for example here I am keeping [email protected] as parents email and click on signup. ████ 3. Now you will see a following message "Your parent or guardian must approve your account or it will be deleted in 7 days". ██████ 4. Now go to https://www.khanacademy.org/settings/account and update your email to temporary email or any email you have access to. ██████████ ██████ 5. Now, you will receive a verification email in your temporary email you have access to. But don't click on the email. Now again change the email to [email protected]. {F1821137} ███████ 6. Now open the verification email you received in your temporary email account in an incognito tab and refresh your child's account. We have successfully tied [email protected] as parent account with email verification. This is the account that I created : Username : ██████ Password : ██████████ Email : ████ █████████ ## Impact Attacker is able to bypass email verification.