How Token Misconfiguration can lead to takeover account

 Hello Everyone,

it's 03.21AM and Tomorrow is my Final exam and i will pass ๐Ÿ˜› . I was unable to focus on my Studies so i decided to share one of my finding on h1. This is my second writeup.  

My recon steps :-

1. I visited

2. I created account X and verified my email.

Verification email looks like

3. I asked reset link for A.

Reset link looks like

4. I changed my email from A to B.

5. Now X is asking to confirm B.

6.  I modified confirmation email of B.


AFTER     -

7. Wow , i was able to change the password of account X.

I reported it to program where h1 closed it as informative and internal team gave below statement 

"As you state, this requires the victim to add the attacker's email to their account. There's no reason they would intentionally do that. We are not interested in social engineering reports"

8. I felt it, I moved back to and tried to find something. 

9. It took me 5 minutes and i found :-

On my step 4 :-

Before :- I changed my email from A to B

Now  :-  I changed my email from A to B to C to X to ...n

10.  B is no longer belongs to account X but still able to takeover account.

11. Now let's make a scenario :-

11.1. victim login to

11.2. victim wanted to change email from to but accidently mistype it to

11.3 after submission within few seconds victim finds that confirmation email didn't arrived and finds he/she accidently mistype email.

11.4. victim immidiately changed it's email back to

11.5. victim got it's email confirmation email , victim confirmed it too.

11.6. on the other hand, is an attacker and he already got email confirmation from 11.2 

11.7. attacker uses the email confirmation but didn't worked (as expected)

11.8. attacker changed url from  /activate-account/ to /password-reset/  and now at reset password page.

11.9. attacker changed the password and takeover account.

12.  Posted above information,  h1 reopened my report.

13. Awarded bounty after 2 days of triaged.  

Thanks For Reading this. Have a Nice day !




Popular posts from this blog

Recon in 2 minutes and got $250 easy