Post cover image

June 3, 2026

The Most Dangerous OAuth Bug I’ve Ever Found

Hello! Some of you might know me (just kidding).

Ali Mojaver

3 min read

This time, I found a crazy bug on a website that led to massive account takeover — and it was rated P1.

But when I say account takeover, I don't just mean stealing one user's account. I'm talking about stealing millions of users' accounts.

Let me explain this weird bug.

None

Not What You Think

Unlike many of you who are now reviewing every possible OAuth attack scenario in your head — this bug wasn't that technical.

It was a broken business logic flaw that put an entire organization in question.

Honestly, I could marry business logic bugs someday. They're just that beautiful.

My Failures First

Unlike other hackers who tell you "I did this, then that happened" and hide their failures — I want to talk about my failures first.

The story of this bug:

One day, I was lurking around, looking for a good target in bug bounty programs. A big target caught my attention. This platform had many features — from online meetings to who knows what.

I started working on it. Since the target was large, my chances of finding a vulnerability seemed high too. So I began testing.

I ran many technical tests — from various XSS payloads to other bugs I could think of. I even found a really cool bug in this same platform. You can check the link here:

From Summarize Button to Full AI Jailbreak Dedicated to everyone we lost on 17–18 Dey 1404(January 2026) in Iran. Rest in peace❤️.

In that write-up, I explained how the company refused to give a bounty to that beautiful bug — just because of a silly line in their bug bounty policy.

Anyway, after those reports, I was slowly getting disappointed with this program.

Then, one feature caught my eye.

None

The Golden Feature

This website, besides having different sections, was also an OAuth provider.

Cool bugs are usually found in more specialized sections — sections that people might overlook, or don't have enough knowledge to test.

I had already seen other parts of this site. But after several days of recon, this particular section looked golden to me.

My Bug Hunting Approach

My approach to finding bugs is usually the opposite of most people. I go after harder-to-find bugs first.

And by that, I don't mean rare bugs. I mean three types of bugs:

  1. Logic bugs
  2. Combinatorial bugs (bugs that appear exactly in the middle of communication between different parts of a site)
  3. Simple bugs in complex sections

This bug was of the second type— a combinatorial bug.

The Vulnerability Explained

Here's how the site behaved:

When signing up, the site did not verify your email. You could register with anyone's email address and verify it later whenever you wanted.

The bug bounty policy even stated: "This is by design. Please don't report pre-account takeover bugs because this is our intended behavior."

Most people would read that line and move on, right? But "Ali Mojaver" is different :)

OAuth + Business Logic = Disaster

Here's the important part:

When your website is an OAuth provider (like GitHub, GitLab, etc.), and other developers use your platform to authenticate their own sites — certain features of your site can become bugs. Their existence no longer makes sense.

So where did the bug happen?

Imagine a developer used this provider on their own website — let's call it victim.com. So on victim.com, there was a "Login with Redacted.com" button (I'm redacting the real name for disclosure rules).

Now, suppose on victim.com, there's a user account with the email [victim@gmail.com](mailto:victim@gmail.com).

Step by step:

  1. I go to the vulnerable parent site — redacted.com — and create an account with the email [victim@gmail.com](mailto:victim@gmail.com). The site doesn't ask for email verification, so the account is created.

  2. I go to victim.com and click "Login with Redacted".

  3. I'm redirected to redacted.com and log into my account (which has [victim@gmail.com](mailto:victim@gmail.com)).

  4. After the login process, redacted.com returns the unverified email [victim@gmail.com](mailto:victim@gmail.com) to victim.com — as if it's a valid, verified email.

  5. Boom. I'm now logged into [victim@gmail.com](mailto:victim@gmail.com)'s account on victim.com.

None

The Scale of This Vulnerability

I could take over every single user account of every website that used this platform as an OAuth provider.

All you had to do was use this provider for login or sign-up — and I could take over your account.

Global-scale takeover.

The Payout

After many discussions with triagers, I managed to explain the bug to them — what it was and exactly where it happened.

At first, the company tried to use the "email not verified" excuse. But after they understood the impact and how dangerous the bug really was — they paid me $X as a bounty.

My Message to You

Most of the time, bugs don't come from super complex technical details.

It's the combination of bugs, your way of thinking, and your understanding of technology that gives you bugs.

Don't get disappointed. Keep learning. Keep finding cool, crazy bugs.

Kisses to you all ❤️

— Ali Mojaver