|
|
|
|
|
|
by flingo
1288 days ago
|
|
|
I once signed up to a service (privately run VPN thing) run by a university club that required confirming a real university student email address without having such an address. So, you needed to click a confirm link sent to "studentfoo@uni.tld". Then, mostly as a goof, I tried signing up with an address like "studentfoo@uni.tld@example.com" where I controlled the second domain. Lo and behold, the confirmation email showed up in my catchall inbox on that domain. Pretty sure the only check the site did was .contains("@uni.tld") and assumed it was good enough. (or whoever wrote it put it in as a backdoor) Really regret not reporting that bug to them. |
|
|