BUG #4382
open[Critical] OAuth Signup Misconfiguration Leads to Account Takeover / OTP Bypass
0%
Description
Description¶
We identified an account takeover issue caused by improper account-linking and signup validation between the normal email/password registration flow and Google OAuth signup.
The application allows an attacker to start a signup process using a victim’s email address through the regular registration flow, where OTP verification is expected but not yet completed. Later, when the real victim signs up using Google OAuth with the same email address, the application incorrectly links or activates the previously attacker-created account instead of enforcing proper ownership verification and secure account binding.
As a result, the attacker retains control over the account created with the victim’s email and password, while the victim unknowingly signs into that attacker-controlled account through Google OAuth.
This effectively bypasses OTP-based email verification and results in full account takeover.
Steps to Reproduce¶
- Go to the normal signup page.
- Register a new account using the victim’s email address like victim@gmail.com and an attacker-controlled password.
- Submit the signup form until the system sends an OTP verification request.
- Do not verify the OTP.
- Keep the partially created / pending account state as is.
- Wait for the real victim to sign up using Google OAuth with the same email address.
- After the victim completes Google signup, attempt to log in using the attacker-defined email/password credentials from step 2.
- Observe that the attacker now has access to the victim’s account or the victim is bound to the attacker-created account.
Actual Result¶
A previously unverified email/password signup attempt can be improperly linked to a later Google OAuth signup for the same email address, allowing the attacker to control the resulting account.
Expected Result¶
The application should never allow an unverified email/password registration attempt to be linked, activated, or merged with a later OAuth signup for the same email address.
Secure behavior should be:
- Unverified accounts must remain unusable until OTP verification is completed.
- OAuth signup must verify whether the existing account is verified and legitimately owned before linking.
- If an email already exists in an unverified state, the system should require secure re-verification or reject account linking entirely.
Impact¶
This vulnerability can lead to full account takeover of any user who later signs up with Google OAuth using an email address that was pre-registered by an attacker.
Proof of Concept¶
No data to display