Account Takeover worth of $5

Jefferson Gonzales (Gonz)
4 min readFeb 26, 2023

$whoami

I’m Jefferson Gonzales from Philippines you can call me Gonz in short, 19 years old a first year college student taking the degree Bachelor of Science in Information Technology, I do Bug Bounty Hunting when I have free time.

Acknowledged by Google, Nokia, UN, BBC and 20+ companies.

In this write-up I will tell you how I found an Account Takeover vulnerability and received a $5 amazon voucher, without wasting your time let’s get started.

Let’s call the target redacted.com, when I have a target my first approach is to test the login/signup feature, in redacted.com you can sign in and signup using Google, Facebook and GitHub OAuth.

When I test a signup/register functionality I tried these tricks to signup the existing email hoping that I can overwrite the password of the existing email.

First I signup on https://redacted.com/register using the existing email but failed

I signed up using existing email and try to put “%00” after the email, but I got “Invalid email ID”

Then I tried to put a space after the email address, but I got “Email is already registered”

I tried to put the space before the email address, and to my surprise I was redirected to the dashboard, but in my case I wasn’t able to overwrite the existing account, the password and other information of the existing account was not change at all so this bug has no impact. But you can try this trick to your target program if your are lucky then you can overwrite the existing account.

I tried the lower and upper case to trick the server, but still I got “Email is already registered”

In my case all the tricks above is not working, so I tried to explore other functionalities, and I found that a user in redacted.com can signup using Google OAuth.

so I test the Google OAuth then I register an account using it and it redirected me to the Dashboard after I signed up

One thing that comes to my mind is “What if I will use to register the email address of a user that uses the Google OAuth when they signup?” and yeah! redacted.com is not checking if the email address is already registered or not if it is uses the Google OAuth when signing up

Step to Reproduce

  1. As a victim create an account on https://redacted.com/register using Google OAuth

2. As attacker create an account using email and password on https://redacted.com/register and use the victim’s email address that he used when he register using the Google OAuth

After that you will be redirected to the Dashboard of the victim’s account

Attack Scenario

Suppose the victim used the Google OAuth when he/she register his/her account on redacted.com, when the attacker tried to register the victims email using email & password, redacted.com is not checking if the email is already registered or not and this mistake can lead to Account Takeover of any user on redacted.com that uses the Google OAuth when they register.

Reward Time:

Contact me on:

Twitter: https://twitter.com/gonzxph

LinkedIn: https://www.linkedin.com/in/gonzxph/

--

--