June 16, 2026

Pre-Account Takeover via OAuth Linking and Missing Email Verification

Introduction

Muzamil

1 min read

Introduction

While testing authentication flows on a web application, I discovered a security issue related to account creation, email verification, and OAuth-based login linking. The issue allowed potential account overlap between attacker-created accounts and legitimate users signing in via Google OAuth.

This write-up explains the vulnerability, its impact, and the outcome after responsible disclosure.

Vulnerability Summary

The application allowed account creation using an email address without requiring email verification. Later, when the legitimate owner of the same email logged in using Google OAuth, the system linked both authentication methods to the same account.

In certain cases, this resulted in persistent access to the same workspace/account from both the attacker's initial credentials and the victim's OAuth login.

Affected Area

  • Authentication system
  • OAuth login integration
  • Account linking logic
  • Email verification flow

Steps to Reproduce

  1. Create an account using any email address without completing email verification.
  2. Set a password and log in using the created credentials.
  3. Log out and keep the account active in the system.
  4. The legitimate owner of the same email logs in using Google OAuth.
  5. The system links the OAuth identity to the existing unverified account.
  6. The original credentials may still allow access to the same account/workspace depending on session state.

Observed Behavior

  • No mandatory email verification before account activation.
  • OAuth login automatically linked to pre-existing account.
  • Account state was shared between both authentication methods.
  • In some cases, sessions remained valid across login methods.

Expected Behavior

  • Email ownership should be verified before account activation.
  • OAuth login should not automatically bind to unverified accounts.
  • Identity linking should require explicit verification or confirmation.
  • Existing sessions should be invalidated when account identity changes.

Security Impact

This issue could lead to:

  • Pre-account takeover scenarios
  • Unauthorized access to user accounts
  • Access to workspaces and associated resources
  • Potential exposure of subscription-based features depending on account state

Disclosure Outcome

The issue was responsibly reported through the platform's disclosure channel with full reproduction steps and proof of concept.

After reporting:

  • The issue appears to have been addressed and resolved.
  • No formal response, acknowledgment, or bounty decision was received despite multiple months passing.

While the vulnerability itself seems fixed, the lack of communication or feedback loop left the report without closure.

Final Thoughts

The security issue highlights two important areas:

  1. Technical gap in authentication design (email verification + OAuth linking).
  2. Process gap in handling security reports and researcher communication.

Improving both is essential for maintaining trust in responsible disclosure programs and encouraging future security research.