A vulnerability was found on a Web Application where if an attacker had gained access to a user's email they could take over the victim's account on [redacted].com even if the email for that account was changed to a new one.

Let's consider a scenario where a user's email has been compromised by an attacker and they have lost access to that mailbox.
Naturally, the user would go to the WebApp [redacted].com and would change their email address to a new one as an attempt to "minimize the damage".

In this particular case, the attacker could use the compromised email to gain access to the user's [redacted].com account - rendering the victim's attempt to protect their account ineffective. If the attacker used the compromised email to sign-up for an account with the webapp, the application would take them into the victim's account upon login even if the account's email had been changed to a new one. Ultimately, the attacker could gain access over that account including all of the functionality a normal user could do on that website. In other words, a user had no way of stopping an attack from escalating further.

I reported this vulnerability to the website's Public Bug Bounty program on Bugcrowd last year. The vulnerability was patched within a couple of weeks and the report was closed as informative due to High Complexity and due to the fact that the attacker would have to have access to the user's email (the email that was originally used to sign-up on the website).







Image by Vecteezy