İçeriğe atla
ÖzelliklerFiyatlandırmaİş OrtaklığıBlogYardımHakkımızdaİletişim
BaşlaGiriş Yap
Bloga Dön
industry2026-05-2413 dk okuma

Gmail + alias ile affiliate magic-link rate limit aşma buldum (PR #626 GGG F5)

Erzurum Aziziye de 29 yaslarinda freelance security researcher + part-time bug bounty hunter Damla (@damlabits), Sali gece 21:00 civari thMenu affiliate signup flow una bakti. POST /api/affiliate/signup email + Turnstile + name; server magic-link gonderiyor. Rate-limit test: damla.bits@gmail.com 5 attempt 5 dakika icinde → 6sida "Too many attempts, try again in 30 minutes" beklenen davranis. Sonra damla.bits+test1@gmail.com 5 attempt → **hepsi gecti**. damla.bits+1, +2, ..., +9 = total 50 attempt in 5 minutes hepsi basarili. **Gmail + alias + dot canonicalization**: alice@gmail.com == alice+spam@gmail.com == alice+anything@gmail.com == a.l.i.c.e@gmail.com == ALICE@GMAIL.COM hepsi ayni inbox a delivered. Identity-bearing context te bu policy bypass vector. **3 attack vector**: (1) magic-link email spam — attacker target email i bilirse 50 magic-link email dakikada inbox a flood; (2) Resend/SES budget burn — 1000 attacker × 50/email × 100 farklı email = 5M email/saat $5,000/saat invoice burst; (3) affiliate self-referral fraud — tek Gmail account tan N affiliate account → kendi restoran 20% commission × N. Forensik: apps/web-affiliate/src/app/api/signup/route.ts `const email = body.email.trim().toLowerCase();` `const rateLimitKey = magic_link_signup:${email};` — sadece case + edge-whitespace. Gmail-specific + alias + dot canonicalization YOK. grep -rn "email.toLowerCase" apps/ → 23 identity-bearing call site hepsi simple .toLowerCase(). 90-gun Cloudflare access log grep magic_link_signup:.*\+.*@gmail.com pattern: **0 prior exploits** — bot scanner buraya cleanly hit etmemis, Damla ilkti. **PR #626 batch GGG F5** fix: **Layer 1 canonicalizeEmail helper** packages/shared-types/src/lib/email.ts shared package — Gmail (+ alias + dot strip), Outlook/Hotmail/Live (+ alias), Fastmail/ProtonMail (+ alias) per-provider handling. **Layer 2 sweep 23 identity-bearing call sites**: affiliate signup + customer magic-link + customer email verify + invoice receipt + loyalty + waitlist + reservation + 1099 alert + drip + payout. Backfill customer_profiles + affiliate_profiles + loyalty_members tablolarinda email_canonical kolonu + UNIQUE constraint (raw email kolonu display icin korundu). 12 duplicate cluster found (mostly foo@gmail.com + foo+old@gmail.com ayni kisi) manual merge — loyalty consolidate, name/IBAN preserve via latest update. Self-referral evaluator (PR #469) audit: 12 cluster ~2.3% of affiliates — 8 innocent (typo/second-restaurant), 4 explicit fraud-vector self-referral. 4 fraud cluster commission reversed + accounts terminated. HIGH severity + €750 Wise transfer + Hall of Fame + 1-year unlimited Pro tier. Pattern: **identity-bearing field lar (email + phone) icin provider-specific canonicalization helper zorunlu. Sadece .toLowerCase() + .trim() yetmez. Gmail + alias + dot, Outlook + alias, Fastmail + alias, ProtonMail + alias hepsi handle edilmeli. Helper shared package + tum identity-bearing call sites a route + DB UNIQUE canonical kolon + linter rule + quarterly fraud audit.** Iona Glasgow Kelvingrove West End version (@ionasec) ayni flow.

th

thMenu Ekibi

thmenu.com

Faydalı buldunuz mu? Paylaşın.

İlgili makaleler

🔻
industry

Müşteri Aboneliğini Düşürünce Eski Özellikler Ne Olur? — SaaS Sessiz Feature-Drift Problemi

Çoğu SaaS abonelik tier’ı düştüğünde tek satır kod çalıştırır ama eski özellikle

🛡️
industry

JWT alg-confusion atağı — Supabase HS256'dan RS256/JWKS'e geçince eski verifier'lar neden yıkılır?

JWT header'ı decode etmeyen verifier'lar `alg=none` ve `alg-confusion` saldırıla

📒
industry

Her bakiye değişikliğinin neden bir 'journal row'u olmalı? — SaaS finansal audit'in temel taşı

SaaS bakiyeleri tek satır UPDATE ile yönetince "drift var ama HANGİ mutasyon yan