🔥 Account Takeover via Duplicate Registration — A 1500 Euro Jackpot

-

 

The Bug

Found a critical account takeover in a web application’s registration flow.
The platform allowed creating the same account (same email) from a different session, even though the account already existed.

Step-by-Step PoC

  1. Create account with email: xyz@account.com and place some orders.
  2. In a different session, re-register using the same email: xyz@account.com.
  3. ✅ Registration works again — no error for duplicate account.
  4. Now the attacker controls:
    • The victim’s orders
    • Can change the password
    • Full account access = Total takeover.

Impact

  • Complete account takeover
  • Orders, personal data, everything exposed
  • Victim locked out after attacker changes password

Status

  • Accepted as High ✅
  • Rewarded 1500 Euros 💰

Takeaway

Duplicate account creation = critical bug hiding in plain sight.
Sometimes basic checks (like preventing duplicate registrations) protect the entire platform.

Comments

Post a Comment

Popular posts from this blog

The Curious Case of Hidden Phone Number Change & POST-to-GET CSRF — A Hacker’s Tale

-
Introduction Sometimes, the most interesting vulnerabilities aren’t the flashy ones — they’re the sneaky, almost accidental bugs that show just how broken the logic behind a system can be. This is one such story where a "simple" password change page led me down a rabbit hole, exposing insecure phone number updates, exposed JS files, and a site-wide CSRF risk. The Setup: A Weird Account Settings Page I was casually poking around a web application’s user settings section when something immediately stood out: There was only an option to change the password — no UI to update email , name , or even the phone number . This felt odd for a platform that relied heavily on phone-based verification. The Discovery: A Phone Number Change Endpoint Hidden in Plain Sight I decided to do some digging, and sure enough, a JavaScript file revealed an unused (and undocumented) phone number change endpoint . However, the parameters required were unclear. I had no documentation, and the request w...
Read more

Android pin bypass with rate limiting

-
  Application pin rate limiting bypass The bug is in private program . There is a feature to lock mobile app with pin . But only 3 attempts. If we attempt wrong pin. The app logouts. But there is a misconfig in this feature. If you enter the pin 2 times. close the app and open the app again you will get another 3 attempts . So the rate limiting bypassed by closing and calling the main activity You can launch the main activity as many times as you want with adb while true;     do adb shell am start -a android.intent.action.VIEW \ -n  com.redacted/com.redacted.MainActivity;   sleep 4; done   while the sleep time you can enter the pin 2 times and again the main activity will be called so you can enter pin again Impact :- mobile auth pin rate limiting bypassed No thanks for reading ..!
Read more

💸 "65 Euros for an Account Deletion Fail — When Deleted Doesn’t Mean Deleted"

-
  The Bug I found a weird issue with the platform’s account deletion flow : When a user deletes their account, their added email addresses were not removed from the system. If the user tried to sign up again using the same email , they couldn’t — the system claimed the email was still in use . Impact Users locked out from re-registering after deleting their accounts. Incomplete deletion = privacy issue (user data retained after account removal). Status Bug accepted ✅ Rewarded 65 Euros 💰 Key Lesson Deleting an account should mean deleting everything tied to it , including secondary emails. Half-baked deletion flows = low payout bugs, but solid finds .
Read more