☕ The Coffee-Fueled Recon
Like every other bug hunter, I was sipping coffee and poking around a target’s login flow. Nothing fancy: just a standard signup form + a shiny “Login with Google” button.
I thought — “Okay bhai, ye toh normal hai (this is normal)”.
So I created an account with a random email. Guess what? No verification email. The account was instantly live.
At that moment, in my head: “Bhai, yeh toh free entry hai… kahin yeh backdoor na ban jaye 😏”
💡 The Sus Idea
I asked myself:
- What if a user signs up with Google later using the same email?
- Will the site stop them?
- Or merge both accounts?
Coffee sip… test karte hain.
🔥 Exploit Time
- I signed up with email → account created instantly.
- Logged out.
- Came back, this time clicked Login with Google using the same email.
- Result? Logged into the same account automatically.
No verification. No alert. No questions.
Me: 😳
Target: “haan bhai, account tumhara hi hai”
(Translation: “Yes brother, this account is definitely yours.”)
🚨 Impact
This is a 0-click Account Takeover waiting to happen.
- Attacker registers victim’s email first.
- Victim later tries to sign in with Google.
- Instead of a fresh account, victim lands in attacker-controlled account.
Impact level: High/Critical because:
- Pre-hijacking of any user’s account.
- Possible takeover of privileged emails (like
admin@company.com). - Access to sensitive user data.
🛠️ Fix It Please
- Verify all emails (OAuth + manual signup).
- Don’t auto-merge accounts just because emails match.
- Use a secure account linking flow (e.g., send confirmation mail before merge).
🎯 Conclusion
This bug reminded me: Authentication systems fail when you skip the basics. A single missing email verification step turned into a full-blown Account Takeover vector. From one small misconfig → straight to Critical severity.
And yes… all this happened while I was just casually sipping coffee. ☕
— AIwolfie