َالْحَمْدُ لِلَّهِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ، اللَّهُمَّ عَلِّمْنَا مَا يَنْفَعُنَا، وَانْفَعْنَا بِمَا عَلَّمْتَنَا، وَزِدْنَا عِلْمًا

Hi everyone,

During my testing, I discovered a logic flaw that can lead to a full account takeover without any user interaction (zero‑click).

The application allows users to create an account and later change the account email address without verifying ownership of the new email. This is where the issue starts.

How the attack works

An attacker first registers an account using their own email address. After registration, the attacker changes the account email to the victim's email address, and the application accepts this change without sending any verification email.

When the victim later tries to sign up, they are informed that their email address is already registered. As expected, the victim uses the Forgot Password functionality, resets the password, and starts using the account normally, believing it fully belongs to them.

However, the critical issue is that the application still accepts password reset requests using the original email address that was used during account creation.

At any point in time, the attacker can trigger the Forgot Password flow using their original email. The password reset link is sent to the attacker's inbox, allowing them to reset the password and regain full control over the account — silently and without the victim's knowledge.

Impact

This results in a persistent account takeover scenario:

  • The attacker can repeatedly regain access.
  • The victim has no clear way to permanently secure the account.
  • All victim data and actions inside the account can be accessed or modified.

Root cause

  • Missing email ownership verification during email change
  • Improper password reset logic that does not invalidate old email associations

Thanks for reading, and I hope this helps others recognize similar logic issues during testing.

None

Finally, thanks for reading! Stay curious and keep learning. Keep in touch: LinkedIn