Bypassing creation of API tokens without email verification
Low
C
Cloudflare Public Bug Bounty
Submitted None
Team Summary
Official summary from Cloudflare Public Bug Bounty
Cloudflare restricts the creation of API Tokens to email-verified accounts, however, if an email-verified account changed their account's email address without verifying the new email, previously created API tokens remained valid and could be rotated in the Dashboard. Cloudflare's Engineering Team changed the process for changing an account's email and required verification before the completion of the email change procedure.
Actions:
Reported by
boy_child_
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Authentication - Generic