Home

Newsletter

About

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

No email verification leads to an Oauth account takeover.

Learn how to find this bug by reading this blog

loyalonlytoday

Published in

InfoSec Write-ups

3 min readFeb 18, 2025

Free link in the comments
👋 Hello all👋

So let’s see

After creating my account and logging into my account successfully.

I clicked on account settings

After I clicked on change email & password

After Entering a new email and my current password I clicked on Change email

You can see in the below image no confirmation link was sent.

My new email was changed without confirmation

I'm logged out from my account

Now I’m trying to log in with Google

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app

Or, continue in mobile web

Already have an account? Sign in

Published in InfoSec Write-ups

55K Followers

Last published 22 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by loyalonlytoday

345 Followers

230 Following

OSINT & BUG BOUNTY HUNTING

Responses (3)

Write a response

What are your thoughts?

Also publish to my profile

loyalonlytoday

Author

Feb 19

https://infosecwriteups.com/no-email-verification-leads-to-an-oauth-account-takeover-02eb30496939?source=friends_link&sk=aed3f52a4204987fc64beb2a80b4d5d8

AADII

Mar 3

i didnt understand if you change your email to victim but you still need victim oauth account so they not gonna accept this

Hlainghliang

Feb 26

did you get any bounty?

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams

InfoSec Write-ups

No email verification leads to an Oauth account takeover.

Learn how to find this bug by reading this blog

Create an account to read the full story.

Published in InfoSec Write-ups

Written by loyalonlytoday

Responses (3)

More from loyalonlytoday and InfoSec Write-ups

Free VPS for penetration and bug bounty hunting.

Free link in the comments

Secret Linux Commands: The Ones Your Teacher Never Told You About

oh yeah — I m your teacher gg

Best Browser Extensions for Bug Hunting and Cybersecurity

27 Must-Have Browser Extensions for BugHunters & Cybersec professional

How to find hidden parameters in your bug bounty target

Learn how to find hidden parameters in bug bounty target

Recommended from Medium

How Recon → SQLi Made €€€€ Bounty

Hi there…!

How i Find IDOR lead to account takeover

Hello Hunters , Hello Cyber-Sec Community

$100-$20k worth Stored XSS Vulnerability | Hidden Methods

Hidden Methods to bypass restriction to find Stored XSS in Bug Bounties

EASY P3 “Broken Access Control”

بسم الله والصلاة والسلام على نبينا المجاهد الشهيد

Critical IDOR on chat message (1000 USD)

When I was hunting on a private program, I noticed an API that was not included in their scope, so I ignored it. However, after hunting for…

How I Made $300 in 5 Minutes💰

🚀Free Article Link