How I Discovered an Email Verification Misbinding Leading to Privilege Escalation

Hello, fellow bug hunters! Grab a coffee, because this story starts with a simple email verification check and ends with a privilege…

Mostafa shaban

~3 min read · February 15, 2026 (Updated: February 15, 2026) · Free: Yes

Hello, fellow bug hunters! Grab a coffee, because this story starts with a simple email verification check and ends with a privilege escalation scenario.

The Beginning: A Small Inconsistency

While testing a web platform, I noticed something curious: email verification and organization invitations were tied to email addresses rather than unique user IDs.

At first glance, everything seemed normal, but small inconsistencies often hide big surprises.

Discovering:

Step 1 — Setting the Scene

I started by creating a normal user account:

victim@example.com

The account was created, but the email remained unverified. Nothing unusual so far.

Step 2 — Introducing a Second Account

Curious about email handling, I created a second account using the same email address:

victim@example.co

Now there were two accounts sharing the same email:

User A → Original account
User B → Attacker-controlled account

Both unverified, but that's where the fun began💀💀.

Step 3 — Triggering Email Verification

Next, I logged into User A and requested email verification via the platform's account settings.

Expected result: User A becomes verified. Actual result: User B became verified instead, while User A remained unverified.

Verification was applied to the wrong account — a clear case of misbinding.

Step 4 — Organization Invite Abuse

I wanted to see if this could have practical impact:

I created a third account (User C) and an organization.
User C sent an invitation to victim@example.com.

Observation:

Both User A and User B received the invite. The attacker-controlled account could accept it and gain privileges intended for the original user.

This confirmed that any trust tied to the email (verification or invites) applied to all accounts sharing it.

Impact:

Pre-account takeover scenario
Privilege escalation at organization level
Attackers can accept invites and gain access without ever touching the original user's inbox

Final Thoughts

This journey reminded me that logic bugs often hide in plain sight. A tiny misbinding of email verification turned into a significant privilege escalation scenario.

Always question assumptions, test creatively, and never underestimate the impact of a seemingly minor bug.

#bug-bounty #web-security #privilege-escalation #ethical-hacking #cybersecurity