Bypassing Email Verification in Node.js with a Simple Logic Flaw

Bypassing Email Verification in Node.js with a Simple Logic Flaw | by Youssef Ezzat - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Bypassing Email Verification in Node.js with a Simple Logic Flaw While I was working on a simple register system in Node.js I wanted to understand how the email verification works in the backend. Youssef Ezzat Follow ~2 min read · March 26, 2026 (Updated: March 26, 2026) · Free: Yes The flow was normal. User registers → backend generates a token → sends it to email → user sends the token back to verify the account. So everything depends on how the backend checks that token. this code in the verification endpoint: exports.verifyAccount = async (req, res) => { const { email, token } = req.body; const user = await User.findOne({ email }); if (!user) { return res.status(400).json({ message: "User not found" }); } if (user.verificationToken == token) { user.isVerified = true; await user.save(); return res.json({ message: "Account verified" }); } res.status(400).json({ message: "Invalid token" }); }; At first it looks fine. It gets the user compares the token, and if they match it verifies the account. But the problem is in this line: if (user.verificationToken == token) The backend is using == and also not checking if the token actually exists. Now imagine this case For some reason the token in the database is null { email: "[email protected]", verificationToken: null, isVerified: false } Then I send this request: { "email": "[email protected]", "token": null } The backend will compare: null == null And that returns true So the condition passes, and the account becomes verified without using any real token The exploitation is very simple Just send: POST /api/auth/verify Content-Type: application/json { "email": "[email protected]", "token": null } If the token is missing or null the account gets verified directly. No brute force no guessing nothing complex. This means: You can bypass email verification You can create verified accounts without owning the email Any feature that depends on verified users can be abused The fix is simple Use strict comparison: if (user.verificationToken === token) And also check if the token exists: if (!user.verificationToken) { return res.status(400).json({ message: "Invalid token" }); } Or better, check both values in the query: const user = await User.findOne({ email, verificationToken: token }); A small mistake like this is enough to bypass the whole verification system It's not a complex bug just weak validation that leads to a full bypass. i hope you enjoyed this write up, see you in comming write ups #cybersecurity #bug-bounty #javascript #nodejs #backend Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).