← Back to Blog
March 13, 2025

HowI Bypassed Email Uniqueness: Exploiting Weak Access Control in a Bug Bounty Program

category: Bug Bounty & Vulnerability Research
How I Bypassed Email Uniqueness: Exploiting Weak Access Control in a Bug Bounty Program - Cover Image
How I Bypassed Email Uniqueness: Exploiting Weak Access Control in a Bug Bounty Program - Additional Image 1
How I Bypassed Email Uniqueness: Exploiting Weak Access Control in a Bug Bounty Program - Additional Image 2

During a bug bounty assessment, I discovered an interesting account takeover and denial-of-service (DoS) vulnerability related to improper access control and weak email uniqueness enforcement. The issue allowed me to manipulate the system to associate two separate accounts with the same email address, leading to a scenario where an attacker could permanently lock a legitimate user out of their account.

STEPS TO REPRODUCE

Step 1: Creating Two Accounts

The vulnerability begins with registering two separate accounts:

• Account A: Registered with victim@example.com

• Account B: Registered with attacker@example.com

Both email addresses were confirmed as required by the system.

Step 2: Changing Email to a Duplicate Address

After registering and verifying both accounts:

1. I logged into Account A (victim@example.com).

2. Navigated to the account settings page.

3. Changed the email of Account A to attacker@example.com (which was already in use by Account B).

4. The system accepted the change, even though attacker@example.com was already associated with another account.

This exposed a serious email uniqueness check failure.

Step 3: Requesting a Password Reset

With both accounts now having the same email:

1. I logged out of both accounts.

2. Requested a password reset for Account A (victim@example.com).

3. The system sent the password reset email to attacker@example.com, not victim@example.com.

At this stage, User A was locked out because they could no longer receive password reset emails.

Step 4: Verifying the Denial of Service Impact

1. Trying to log in with victim@example.com still worked (since the password was unchanged).

2. However, if the user forgot their password, they could never reset it   effectively locking them out.

This demonstrated a critical denial-of-service (DoS) vulnerability.

Security Impact

• Account Takeover Potential: Since email addresses often serve as the primary recovery method, an attacker could hijack an account if additional weak points exist.

• Denial-of-Service (DoS): The victim loses access to password resets permanently.

• Weak Access Control: The failure to enforce email uniqueness compromises account integrity.

Reporting & Response

After reporting the issue, it was marked inapplicable based on the assumption that an attacker must first control one of the accounts. However, while exploiting this in a victim scenario is more challenging, it still poses a valid risk especially when accounts are linked to external services or when users reuse emails across multiple platforms. Notably, the website enforces email uniqueness during registration, preventing duplicate accounts from being created. However, it lacks proper access controls when updating an account’s email, allowing an email already associated with another account to be reassigned. This effectively bypasses the security measure enforced during registration.

← All Posts
Published March 13, 2025