So nobody here can think of any possible scenario where bypassing a server-side check for 'Account X can access Feature Y' could directly lead to a security issue?
This is absolutely 100% a vulnerability - insomuch as that CloudFlare should have an explicit policy that ALL account features are enabled / verified server-side, not client side.
Think of all the spam that would have happened, had this been discovered on underground black-hat forums.
Do you want to offer some? It's not clear this even bypassed payment that should have been due. That would be worse, and still not really a vulnerability.
> Think of all the spam that would have happened, had this been discovered on underground black-hat forums.
What spam would have happened as a result of early access to a new Cloudflare feature, that's independent of any (other) bugs/security flaws in that feature?
(Also, even with the actual vulnerability here, what 'spam' would have happened? This hijacks recieving. Worse, yes, but I don't see how it helps spammers.)
Accessing functionality you should not otherwise have access to is by definition a vulnerability. CF apparently agrees since they paid out a bounty for it.
> CF apparently agrees since they paid out a bounty for it.
Not really, it was mentioned as part of a report of the main, much more critical issue of 'hijacking email with Cloudflare Email Routing' - note that's the title itself, not 'accessing a cloudflare beta feature'...
So nobody here can think of any possible scenario where bypassing a server-side check for 'Account X can access Feature Y' could directly lead to a security issue?
This is absolutely 100% a vulnerability - insomuch as that CloudFlare should have an explicit policy that ALL account features are enabled / verified server-side, not client side.
Think of all the spam that would have happened, had this been discovered on underground black-hat forums.