June 16, 2026
“Bug Bounty Bootcamp #47: Account Takeover 101 — How to Steal Everyone’s Account (Legally)”
You don’t need to be a hacker in a hoodie. Just a missing IDOR, a leaky invite link, or a mass-assignable “role” field — and suddenly…
Aman Sharma
4 min read
- 1 1. Account Takeover via IDOR — Change One Number, Steal an Account
- 2 2. Invite System Hijacking — Join Any Organization (Even the Ones You're Not Invited To)
- 3 3. Mass Assignment — Promote Yourself to Super Admin
- 4 4. OAuth + Open Redirect — The Classic Account Takeover Chain
- 5 The Account Takeover Hunter's Checklist
You don't need to be a hacker in a hoodie. Just a missing IDOR, a leaky invite link, or a mass-assignable "role" field — and suddenly you're not just a user. You're everyone.
Welcome back, my favorite little chaos agents. You've made it through login bypasses, token leaks, and IP spoofing. Now we reach the endgame: Account Takeover (ATO) . This isn't just about getting into one account. It's about orchestrating a symphony of vulnerabilities that let you become any user — or even take over entire organizations.
Account takeovers come in three main flavors:
- Targeted — You attack a specific user (phishing, XSS, etc.)
- Mass — You find a vulnerability that lets you change anyone's email or password
- Organizational — You hijack an entire company's workspace (think Slack, GitHub, or HR platforms)
Today, we're covering the mass and organizational methods — because why steal one account when you can steal all of them?
1. Account Takeover via IDOR — Change One Number, Steal an Account
You're logged in as ben@example.com. You go to settings and update your email. The request looks like:
POST /api/user/update_email
{"user_id": 123, "email": "ben@example.com"}POST /api/user/update_email
{"user_id": 123, "email": "ben@example.com"}What if you change user_id to 124? If the server doesn't check that you own user 124, you just changed someone else's email to your own. Then you request a password reset, and the reset link goes to your email. Account owned.
The lab example:
- Logged in as
ben(user ID 2). - Found a
PUT /api/user/update_emailendpoint. - Changed
user_idto1(admin). - Updated admin's email to
attacker@example.com. - Requested password reset for admin.
- Reset link came to attacker's email.
- Logged in as admin.
The hunter's mindset: Any time you see a user_id, account_id, org_id, or any object identifier in a request – test it. Change it. See if the server cares. Often, it doesn't.
2. Invite System Hijacking — Join Any Organization (Even the Ones You're Not Invited To)
Imagine an app where you can invite people to your company workspace. The invite link looks like:
https://app.target.com/join?org_id=123&token=xyz789
What if you change org_id to 124? If the token isn't bound to the organization, you might be able to join a different company.
The lab example:
- Logged in to HackerCorp dashboard.
- Generated an invite link:
/join?org_id=2&token=abc123. - Changed
org_id=2toorg_id=1. - Opened the link in incognito.
- The page showed Acme Corp instead of HackerCorp.
- Registered with a new username and password.
- Logged in as a member of Acme Corp — a company they weren't invited to.
The escalation: Once inside, you might find sensitive data, employee lists, or even admin functionalities. This isn't just account takeover; it's organization takeover.
3. Mass Assignment — Promote Yourself to Super Admin
You update your profile. The request sends:
{"username": "ben", "bio": "hacker", "website": "ben.com"}{"username": "ben", "bio": "hacker", "website": "ben.com"}The response returns:
{"id": 123, "username": "ben", "bio": "hacker", "role": "user"}{"id": 123, "username": "ben", "bio": "hacker", "role": "user"}The clue: The response has a field (role) that wasn't in your request. That means the server has that field – you just didn't send it. Add it.
Test it:
{"username": "ben", "bio": "hacker", "role": "admin"}{"username": "ben", "bio": "hacker", "role": "admin"}If the server accepts it and changes your role, you just mass-assigned yourself to admin.
The lab example: The instructor added "role": "super_admin" to a profile update request. The server accepted it, and suddenly they had access to admin-only panels. From there, they could reset any user's password – mass account takeover.
Pro tip: Check JavaScript files for role names. Devs often define them in the frontend:
const ROLES = { ADMIN: 'admin', SUPER_ADMIN: 'super_admin', USER: 'user' };const ROLES = { ADMIN: 'admin', SUPER_ADMIN: 'super_admin', USER: 'user' };Now you know exactly what to try.
4. OAuth + Open Redirect — The Classic Account Takeover Chain
OAuth flows are notorious for redirect_uri manipulation. If you can change the redirect_uri to your own domain, the authorization code gets sent to you instead of the legitimate app.
The attack:
- Start OAuth login to
victim.com. - Intercept the request and change
redirect_uri=https://victim.com/callbacktoredirect_uri=https://attacker.com/callback. - The user completes login.
- The code is sent to
attacker.com/callback?code=xyz. - You exchange the code for an access token.
- You're logged in as the victim.
When does this work? When the OAuth provider doesn't validate the redirect_uri properly – or when it uses a whitelist that's too permissive (e.g., allowing any subdomain of victim.com).
Pro tip: If you find an open redirect on victim.com, you can chain it: redirect_uri=https://victim.com/redirect?url=attacker.com. The provider sees victim.com (allowed) and redirects to attacker.com (your server).
The Account Takeover Hunter's Checklist
Final Boss Wisdom
Account takeover isn't always a single vulnerability. Often, it's a chain:
- Find an IDOR that lets you change someone's email.
- Use that to request a password reset.
- Receive the reset link and change their password.
- Log in as them.
Or:
- Mass-assign yourself to admin.
- Use the admin panel to reset any user's password.
- Take over all accounts.
The best hunters think in chains. They don't just report "I can change user 2's email." They demonstrate: "I can change any user's email, then reset their password, then log in as them. This leads to full account takeover of all users."
That's the kind of report that gets escalated, rewarded, and remembered.
Now go forth, you magnificent account-taking-over legend. And when you finally log in as the admin, do a silent victory dance. You've earned it.
you can check this article too…
"Bug Bounty Bootcamp #46: Not Allowed From Your IP?" — How to Spoof, Brute-Force, and Mass-Assign Your Way Past Authentication Walls"
"Day 14: Cookie Hijacking Exposed — How I Bypassed Chrome's "Secure" Storage" When Browser Protections Fail in Unexpected Ways
List: Bug Bounty series | Curated by Aman Sharma | Medium Bug Bounty series · 29 stories on Medium
Liked this chaos? Smash that clap button 50 times (it's free dopamine), drop a comment with your wildest ATO story, and highlight the part that made you go "wait, that actually works?"
Your engagement fuels the chaos.
— Your friendly neighborhood account takeover artist 🕵️♂️💥
P.S. If you're a dev reading this — validate every user_id, bind every invite token to its organization, never auto-accept mass-assigned fields, and actually check redirect_uri in OAuth. We will find the cracks. And we will laugh.