Account Verified Bypass

Easy+50 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentAccount Integrity

Scenario

Users must go through an email verification flow before they gain full platform access. The updateAccount endpoint, however, accepts any fields in the request body and applies them directly to the stored account.

An attacker can skip verification entirely by sending isVerified: true in their profile-update request, granting themselves the privileges of a verified user.

Verification bypasses let unvetted users access paid or restricted features. In fintech or compliance contexts this can be a regulatory violation as well as a security failure.

Your Tasks

Fix updateAccount so that the fields 'isVerified', 'id', and 'createdAt' are always stripped from updates before being applied. Only 'name' and 'email' may be changed.

Examples

Example 1 — Verification bypass blocked

updateAccount('u1', { isVerified: true }, db)
// returns account with isVerified still false

Constraints

›Throw exactly 'Not found' when the account does not exist
›Return the updated account object
›isVerified, id, and createdAt must never change via this function

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run