Status: Patched
This vulnerability has been verified as resolved and deployed.
0-click Account Takeover and Admin Operations via helper endpoint authorization bypass
Summary
Broken Access Control allows unauthenticated email updates via Helper API
The helper endpoint responsible for updating user email addresses performs a sensitive account mutation without performing any authentication or authorization beyond confirming that an Authorization header exists. Api::Internal::Helper::BaseController#verify_authorization_header! only checks for the header’s presence and does not enforce a signature, token, or identity check unless an action explicitly invokes authorize_hmac_signature! or authorize_helper_token!. The UsersController never calls either method, leaving POST /api/internal/helper/users/update_email callable by any unauthenticated client that supplies an arbitrary header (e.g., Authorization: foo).
An attacker can submit current_email and new_email parameters for any account, causing the controller to look up the target user via User.alive.by_email and set user.email = params[:new_email] with no ownership verification. Persisting the change allows the attacker to initiate password resets to the new email address, effectively taking over the victim’s account. This is a direct broken access control vulnerability with high impact on account integrity and confidentiality.
CVSS Score
Vulnerability Location
Sink-to-Source Analysis
User lookup is driven directly by attacker-controlled current_email.
Attacker-controlled new_email is assigned to victim user without ownership checks.
Saving persists the unauthorized email change.
Controller confirms success to attacker, completing takeover path.
Impact Analysis
Critical Impact
Full account takeover, access to private sales data, payout redirection, customer records, and ability to impersonate the victim. Attack is remote, unauthenticated, and repeatable.
Attack Surface
Publicly accessible API endpoint /api/internal/helper/users/update_email on api.gumroad.com.
Preconditions
Network access to the API endpoint. No valid credentials or secrets are required—only an Authorization header with any arbitrary value.
Proof of Concept
Environment Setup
Requirements: OS: Ubuntu 22.04 LTS or macOS 14. Packages: git ruby-full nodejs npm postgresql curl jq.
Clone & Install:
Database & Secrets:
Target Configuration
Start the Rails server:
Ensure a test user exists (replace with real email in production):
Exploit Delivery
Because the endpoint only checks for header presence, any arbitrary value suffices.
Outcome
The attacker gains full control over the victim’s Gumroad account by hijacking the email address and resetting the password, compromising confidential data and payouts.
Expected Response: