Just found a crazy business logic flaw. What severity would you give this?
Hey guys, wanted to share an interesting finding from a recent test and see how you would rate it. It got marked as P3, which honestly surprised me.
The bug is on a large platform for creating websites. An unauthenticated attacker can hit the registration endpoint and register live TLDs (.com, .net, etc.) completely for free.
The impact is pretty wild: You don't need any verification, no payment were made from you, so you can register thousands of domains completely anonymously with fake contact info. Great for malicious infrastructure or crime, with zero trace back to the attacker.
On top of that, there's an endpoint that lets you completely bypass the 60-day transfer lock. You can get the auth codes and move the domains to an external registrar instantly, so the company can't even recover them.
I registered 5 live domains, changed DNS, and unlocked them to prove it. Public WHOIS confirmed they were completely unlocked.
To me, letting attackers spin up unlimited anonymous criminal infrastructure while draining the company's real cash feels like beyond P3.
What do you think? Is P3 fair here?