My name is Montaser, and I'm a cybersecurity researcher interested in bug bounty and discovering real-world vulnerabilities.
I've been focusing a lot on authentication-related bugs lately, and one of the most interesting (and underrated) vulnerabilities I keep finding is:
Pre-Account Takeover
So far, I've discovered this issue multiple times across different applications, including valid reports on bug bounty platforms.
This write-up is a simple explanation of how this bug works, how I find it, and how you can start testing for it too.
Also, this is part of my journey in bug bounty, so if the style feels a bit simple โ I'm still learning and improving every day ๐
๐ What is Pre-Account Takeover?
Pre-Account Takeover is a vulnerability that happens before the victim even finishes creating or verifying their account.
In simple terms:
An attacker creates an account using the victim's emailโฆ and later takes control of it.
๐ What is OAuth Misconfiguration?
OAuth is a login system that allows users to sign in using services like:
- GitHub
Instead of creating a password, users can just click:
"Continue with Google"
But here's the problem:
Many applications implement OAuth incorrectly.
These mistakes are called OAuth Misconfigurations, and they can lead to serious issues like account takeover.
๐ก Simple Example
Let's say a website allows:
- Signup using email/password
- Login using Google
Now imagine this:
- The website does NOT verify email addresses
- It automatically links accounts based on email
๐ This creates a dangerous situation.
An attacker can:
- Register your email first
- Then use Google login later
- And take over your account
โ๏ธ My Testing Scenario
While testing a target (let's call it target.com), I noticed that the application supports:
- Email/Password registration
- Google OAuth login
So I decided to test the account linking logic.
1๏ธโฃ Account Creation (Email/Password)
I signed up using:
- Email:
user@gmail.com - Password:
password
โ The account was created successfully โ No email verification was required
After that, I logged out.
2๏ธโฃ Login via Google OAuth
Next, I clicked:
"Continue with Google"
And logged in using the same email:
user@gmail.com
3๏ธโฃ The Result
Here's what happened:
- The application automatically linked the Google account
- No verification was required
- No confirmation step
๐ฅ I was able to log in to the same account using OAuth.
๐ฏ Why This is a Problem
This means an attacker can:
- Pre-register a victim's email
- Wait for them to sign up using Google
- Gain full access to the account
๐ The victim doesn't even know the account was already created.
๐ฅ Impact
This vulnerability can lead to:
- Full account takeover
- Unauthorized access to user data
- Identity impersonation
- Account lockout
And the worst part:
The victim trusts the account because they think they created it.
๐ง Root Cause
The issue usually comes from:
- โ No email verification
- โ Blind trust in OAuth email
- โ Automatic account linking
- โ No user confirmation
๐ ๏ธ How to Fix It
To prevent this vulnerability:
- Enforce email verification before activating accounts
- Do not automatically link OAuth accounts
- Require user confirmation before linking
- Verify email ownership properly
๐ Tips for Beginners
If you're starting in bug bounty, this bug is a great target:
- Easy to test
- High impact
- Very common
- No advanced tools needed
๐ Where to look:
- Signup flows
- Login systems
- OAuth integrations
- Account linking logic
๐ Final Thoughts
Pre-Account Takeover is one of those bugs that looks simple โ but can have a huge impact.
The fact that I've found it multiple times shows that many applications still get this wrong.
If you're learning bug bounty:
Focus on logic, not just technical bugs.
Thanks for reading ๐ I'll keep sharing more from my bug bounty journey.
Feel free to connect or share your thoughts
Facebook: https://facebook.com/montasermohsen98 Twitter (X): https://x.com/Montaser_M98 LinkedIn: https://linkedin.com/in/montasermohsen98