hacking blogs

  The Bug Found a critical account takeover in a web application’s registration flow. The platform allowed creating the same account (same email) from a different session, even though the account already existed. Step-by-Step PoC Create account with email: xyz@account.com and place some orders. In a different session , re-register using the same email : xyz@account.com . ✅ Registration works again — no error for duplicate account. Now the attacker controls: The victim’s orders Can change the password Full account access = Total takeover. Impact Complete account takeover Orders, personal data, everything exposed Victim locked out after attacker changes password Status Accepted as High ✅ Rewarded 1500 Euros 💰 Takeaway Duplicate account creation = critical bug hiding in plain sight. Sometimes basic checks (like preventing duplicate registrations) protect the entire platform .

  The Bug I found a weird issue with the platform’s account deletion flow : When a user deletes their account, their added email addresses were not removed from the system. If the user tried to sign up again using the same email , they couldn’t — the system claimed the email was still in use . Impact Users locked out from re-registering after deleting their accounts. Incomplete deletion = privacy issue (user data retained after account removal). Status Bug accepted ✅ Rewarded 65 Euros 💰 Key Lesson Deleting an account should mean deleting everything tied to it , including secondary emails. Half-baked deletion flows = low payout bugs, but solid finds .

Introduction Sometimes, the most interesting vulnerabilities aren’t the flashy ones — they’re the sneaky, almost accidental bugs that show just how broken the logic behind a system can be. This is one such story where a "simple" password change page led me down a rabbit hole, exposing insecure phone number updates, exposed JS files, and a site-wide CSRF risk. The Setup: A Weird Account Settings Page I was casually poking around a web application’s user settings section when something immediately stood out: There was only an option to change the password — no UI to update email , name , or even the phone number . This felt odd for a platform that relied heavily on phone-based verification. The Discovery: A Phone Number Change Endpoint Hidden in Plain Sight I decided to do some digging, and sure enough, a JavaScript file revealed an unused (and undocumented) phone number change endpoint . However, the parameters required were unclear. I had no documentation, and the request w...