💸 "65 Euros for an Account Deletion Fail — When Deleted Doesn’t Mean Deleted"

-

 

The Bug

I found a weird issue with the platform’s account deletion flow:

  • When a user deletes their account, their added email addresses were not removed from the system.
  • If the user tried to sign up again using the same email, they couldn’t — the system claimed the email was still in use.

Impact

  • Users locked out from re-registering after deleting their accounts.
  • Incomplete deletion = privacy issue (user data retained after account removal).

Status

  • Bug accepted âś…
  • Rewarded 65 Euros đź’°

Key Lesson

Deleting an account should mean deleting everything tied to it, including secondary emails.
Half-baked deletion flows = low payout bugs, but solid finds.

Comments

Post a Comment

Popular posts from this blog

The Curious Case of Hidden Phone Number Change & POST-to-GET CSRF — A Hacker’s Tale

-
Introduction Sometimes, the most interesting vulnerabilities aren’t the flashy ones — they’re the sneaky, almost accidental bugs that show just how broken the logic behind a system can be. This is one such story where a "simple" password change page led me down a rabbit hole, exposing insecure phone number updates, exposed JS files, and a site-wide CSRF risk. The Setup: A Weird Account Settings Page I was casually poking around a web application’s user settings section when something immediately stood out: There was only an option to change the password — no UI to update email , name , or even the phone number . This felt odd for a platform that relied heavily on phone-based verification. The Discovery: A Phone Number Change Endpoint Hidden in Plain Sight I decided to do some digging, and sure enough, a JavaScript file revealed an unused (and undocumented) phone number change endpoint . However, the parameters required were unclear. I had no documentation, and the request w...
Read more

Android pin bypass with rate limiting

-
  Application pin rate limiting bypass The bug is in private program . There is a feature to lock mobile app with pin . But only 3 attempts. If we attempt wrong pin. The app logouts. But there is a misconfig in this feature. If you enter the pin 2 times. close the app and open the app again you will get another 3 attempts . So the rate limiting bypassed by closing and calling the main activity You can launch the main activity as many times as you want with adb while true;     do adb shell am start -a android.intent.action.VIEW \ -n  com.redacted/com.redacted.MainActivity;   sleep 4; done   while the sleep time you can enter the pin 2 times and again the main activity will be called so you can enter pin again Impact :- mobile auth pin rate limiting bypassed No thanks for reading ..!
Read more