Who Am I: 0xMo7areb โ€” a bug hunter and Penenteration Tester :)

follow me on: x account || linkedin account

ุงู„ุญู…ุฏ ู„ู„ู‡ ุงู„ุฐูŠ ุนูŽู„ูŽู‘ู…ูŽ ุจุงู„ู‚ู„ู….. ุนูŽู„ูŽู‘ู…ูŽ ุงู„ุฅู†ุณุงู†ูŽ ู…ุง ู„ู… ูŠูŽุนู’ู„ูŽู… ูˆุงู„ุตู„ุงุฉู ูˆุงู„ุณู„ุงู…ู ุนู„ู‰ ุฎูŠุฑู ู…ูุนูŽู„ูู‘ู…ูŠ ุงู„ู†ุงุณู ุงู„ุฎูŠุฑ ู…ุญู…ุฏ ุฃู…ุง ุจุนุฏ

None
ุนู† ุฃุจูŠ ู‡ุฑูŠุฑุฉ ุฑุถูŠ ุงู„ู„ู‡ ุนู†ู‡ ุฃู† ุฑุณูˆู„ ุงู„ู„ู‡ ุตู„ู‰ ุงู„ู„ู‡ ุนู„ูŠู‡ ูˆุณู„ู… ู‚ุงู„: (ู…ู† ุตู„ู‰ ุนู„ูŠ ุตู„ุงุฉ ูˆุงุญุฏุฉ ุตู„ู‰ ุงู„ู„ู‡ ุนู„ูŠู‡ ุนุดุฑุงู‹) ุฑูˆุงู‡ ู…ุณู„ู…

A business logic flaw in the username lifecycle permits the reassignment of email-based usernames after they are changed by the original account owner. Because the platform allows authentication using either email or username โ€” and initially sets the username equal to the email address โ€” this creates an identity collision condition.

Summary

When the original user changes their username, their email string becomes available as a username. If another user claims that released identifier, authentication attempts using that email resolve to the new account mapping.

In the observed scenario, this results in permanent account lockout for the legitimate user. While this instance does not enable account takeover, similar implementations in other environments could escalate into full account compromise depending on password reset and verification flows.

This is an availability and identity integrity failure rooted in mutable authentication identifiers.

Platform Behavior

  • Users register using their email.
  • The email automatically becomes both:
  • The account email
  • The default username
  • Users can authenticate using either their email or username.
  • Usernames are mutable and reusable.

This dual-binding model introduces structural risk.

Attack Scenario

  1. The victim registers and logs in with Mo7areb@Free.Palestine.com (Email = Username).
  2. The victim later changes their username to: Mo7areb.
  3. The original email string Mo7areb@Free.Palestine.com becomes available as a username.
  4. An attacker, knowing only the victim's email address, registers or logs in to their own account.
  5. The attacker changes their username to: Mo7areb@Free.Palestine.com.
  6. Authentication requests using that identifier now resolve to the attacker's account.

Result:

  • The victim's credentials remain valid.
  • The victim can no longer authenticate using their email.
  • The login path is effectively hijacked.
  • The victim is locked out of their account.

Note โ€” Potential Admin Escalation Risk

If an administrator uses their email as both email and username (e.g., admin@Free.Palestine) and later changes their username, that original identifier becomes available.

An attacker who knows the admin's email could then register an account and change their username to admin@Free.Palestine.

In this application, this would result in admin account lockout. However, in other implementations where privilege checks, password resets, or role mappings rely on username resolution, this design flaw could potentially escalate to full administrative account takeover.

None

Root Cause

The system treats a mutable, reusable attribute (username) as an authoritative authentication identifier while simultaneously allowing:

  • Username modification
  • Username recycling
  • Dual login resolution (email or username)

This creates a non-deterministic identity mapping over time.

Authentication should resolve strictly against immutable identifiers such as:

  • Internal user ID
  • Permanently bound, verified email

Usernames should function only as display aliases.

Impact

  • Permanent denial of account access
  • Targeted account lockout using publicly known email addresses
  • Identity ownership collision
  • Increased support and recovery burden

Although no account takeover occurs in this implementation, the architectural weakness introduces elevated risk in environments where password reset or email verification logic is less strict.

This represents a structural identity lifecycle flaw with availability impact and potential escalation pathways.

Triager Answer

he accept it as accepted risk but not eligible bug.

None
Not eligible ๐Ÿ˜…

I hope this write-up gives you a clear understanding of how critical and its impactful this flaw truly is.

Don't forget to follow me on this medium account :)

"ุณูุจู’ุญูŽุงู†ูŽูƒูŽ ุงู„ู„ู‘ูŽู‡ูู…ู‘ูŽ ูˆูŽุจูุญูŽู…ู’ุฏููƒูŽ ุŒ ุฃูŽุดู’ู‡ูŽุฏู ุฃูŽู†ู’ ู„ุง ุฅูู„ูŽู‡ูŽ ุฅูู„ุง ุฃูŽู†ู’ุชูŽ ุŒ ุฃูŽุณู’ุชูŽุบู’ููุฑููƒูŽ ูˆูŽุฃูŽุชููˆุจู ุฅูู„ูŽูŠู’ูƒูŽ"