๏ทฝ

๏ดฟ ุงูŽู„ุตู‘ูŽู„ูŽุงุฉู ูˆูŽุงู„ุณู‘ูŽู„ูŽุงู…ู ุนูŽู„ูŽู‰ ุฑูŽุณููˆู„ู ุงู„ู„ู‡ู ุตูŽู„ู‘ูŽู‰ ุงู„ู„ู‡ู ุนูŽู„ูŽูŠู’ู‡ู ูˆูŽุณูŽู„ู‘ูŽู…ูŽ ๏ดพ

โœฆโ€ขโ€ขโ”ˆโ”ˆโ”ˆโ”ˆโ”ˆโ”ˆโ”ˆโ€ขโ€ขโœฆ

One day I woke up, I had a day off from my job as a penetration tester at GM. I decided to spend my free time hunting on a new program, let's call it ammar.com. Sounds good? Great.

I started by creating a new account with an email. The system asked me for a verification code that gets sent to the email.

โ€ข I tried entering random codes โ†’ didn't work.

โ€ข I tried some response manipulation โ†’ didn't work.

โ€ข I even tried sending null values โ†’ still nothing.

โ€ข Then I thought of bypassing directly to the next stepโ€ฆ Boom ๐Ÿ’ฅโ†’ didn't work either.

But I didn't stop there. I looked deeper and tried to access an internal endpoint for account details. I found one at:

ammar.com/profile

And guess what? This worked! I managed to bypass the verification step completely.

At this point, I had an account registered with the victim's email:

victim@gmail.com

but it wasn't fully activated yet.

Now the big question: should I stop here and submit it as code verification bypass?

No, that's not enough. I had to push it further.

So, I tried registering a new account again but this time using Google OAuth with the same email:

victim@gmail.com

๐Ÿ’ฅ Boom! The system automatically verified the account (since it trusted Google OAuth) and merged it with the account I had already created earlier.

Result? I now had full access to the victim's account.

This is a classic OAuth Verification Bypass โ†’ Account Takeover.

โธป

Scenario (Attack Flow)

1. Attacker signs up with victim@gmail.com via normal registration.

2. Email verification is required, but the attacker bypasses it through /profile.

3. Victim later signs up with the same email using Google OAuth.

4. System trusts Google and marks the account as verified.

5. Attacker's account is now the victim's verified account โ†’ Account Takeover.

โธป

Impact

โ€ข Full Account Takeover (Critical : mediumโ€“ P1 : P3).

โ€ข Attacker can access, modify, or delete victim's account data.

โ€ข Puts user privacy and system security at serious risk.

โ€ข Potential abuse if accounts are linked to other services.

๐Ÿ”ฅ That's it โ€“ from a simple verification code bypass to a one-click Account Takeover.

Doom(Ammar yasser )