🔥 Account Takeover via Duplicate Registration — A 1500 Euro Jackpot

PublishedMarch 31, 2025

•1 min read

The Bug

Found a critical account takeover in a web application’s registration flow.
The platform allowed creating the same account (same email) from a different session, even though the account already existed.

Step-by-Step PoC

Create account with email: xyz@account.com and place some orders.
In a different session, re-register using the same email: xyz@account.com.
✅ Registration works again — no error for duplicate account.
Now the attacker controls:
- The victim’s orders
- Can change the password
- Full account access = Total takeover.

Impact

Complete account takeover
Orders, personal data, everything exposed
Victim locked out after attacker changes password

Status

Accepted as High ✅
Rewarded 1500 Euros 💰

Takeaway

Duplicate account creation = critical bug hiding in plain sight.
Sometimes basic checks (like preventing duplicate registrations) protect the entire platform.

#bugbounty #webhacking

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

How a Simple Firebase Misuse Can Lock Out Users From Signing Up

In the world of user authentication, ensuring that email addresses are properly validated and managed is crucial. But what happens when an attacker can abuse a third-party authentication system to "reserve" someone else's email, effectively blocking ...

Apr 8, 20252 min read

The Curious Case lof Hidden Phone Number Change & POST-to-GET CSRF — A Hacker’s Tale with a twist

Introduction Sometimes, the most interesting vulnerabilities aren’t the flashy ones — they’re the sneaky, almost accidental bugs that show just how broken the logic behind a system can be. This is one such story where a "simple" password change page ...

Mar 31, 20253 min read

💸 "65 Euros for an Account Deletion Fail — When Deleted Doesn’t Mean Deleted"

The Bug I found a weird issue with the platform’s account deletion flow: When a user deletes their account, their added email addresses were not removed from the system. If the user tried to sign up again using the same email, they couldn’t — the s...

Mar 31, 20251 min read

Phishing in Android

The app can be launched by any other app because its deeplink activity is exported=true. Adb exploit adb shell am start -a android.intent.action.VIEW -n com.redacted.android/"com.redacted.activities.DeepLinkActivity" -d "https://evil.com" Apk Exploi...

May 3, 20231 min read

the security guy

10 posts

bugbounty finding writeups.

Command Palette