Story of a Pre-Account Takeover

Hello everyone, hope you are having a great day. Today I am going to talk to you about an interesting bug that I found on a private program on HackerOne.

It is one of the most popular investing apps on the market. I can not disclose the name of the program since the vulnerability is not fixed yet. The application allowed its users to login with its own authentication system or Social Authentication (Google and Facebook). The flaw was in the ‘Login with Google/ Facebook’ functionality as there was no ‘Disconnect from Google/ Facebook’ feature available. Once a social account was associated with an email, it was forever added and can't be unlinked. Let me walk you through the steps to reproduction:

  1. Sign Up for an account with the attacker’s Google account.
  2. After signup, the attacker will be prompted to set a username, email, and password for the account.
  3. The attacker changes the email to the victim’s email, sets his username and password, and completes the signup process.

4. When the victim tries to create an account, the email already exists message pops up. Now the victim tries to reset the account password and successfully does so.

The victim is unaware of the fact that the Google account of the attacker is still connected to his account. There is no way he can unlink the attacker’s Google account from his account.

The attacker just needs to use Google Login functionality to access the victim’s account and boom.

This was it for my first bug bounty writeup. Hope this will help you learn something new. Peace.

Last name “hungry”, first name “always”.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Buffer Overflow — Vulnserver

{UPDATE} AVA - Tarot Card Game Hack Free Resources Generator

Why The CFO And CISO Need To Get Along

{UPDATE} KRNKR Hack Free Resources Generator

The New York SHIELD Act

Russian hackers allegedly netted a profit of more than $400 million through crypto

Intranet of Things

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kushal Dhakal

Kushal Dhakal

Last name “hungry”, first name “always”.

More from Medium

Intigriti’s February XSS challenge By aszx87410

Exploiting CVE-2019–5418- File Content Disclosure on Rails

A Remote Code Execution on WinRAR — CVE-2021–35052

How I found Open redirect vulnerability easily