- Status Closed
-
Assigned To
nferrari - Private
Opened by nhlimon - 18.10.2025
Last edited by nferrari - 20.10.2025
FS#226 - Bug Bounty Report: Account Takeover via Implicit OAuth Account Linking Without Verification
Severity:
High
Summary:
OAuth account linking occurs automatically and implicitly on the company's web application, without requiring user verification, which can enable account takeover. Suppose an attacker signs up using OAuth with the same email as an existing account (registered via email/password). In that case, they are granted access to that existing account without any ownership validation, which is a critical authentication flaw.
Steps to Reproduce:
Create a target account (victim):
Go to alwaysdata.com
Register a new account using email/password, e.g., victim@example.com.
Log out.
Trigger the issue (attacker):
Go to the website
Log in using an OAuth provider (e.g., Google or Apple) that uses the same email address: victim@example.com.
Observe:
The OAuth login automatically links to the existing account created via email/password.
No verification (like password prompt, email confirmation, or user consent) is required.
The attacker now has full access to the victim's account.
Impact:
This vulnerability allows an attacker to fully compromise accounts by using an OAuth provider with an email address matching an existing account, without needing the victim’s password or any verification step.
Possible consequences:
Unauthorized access to personal data.
Tracking information leakage
Service misuse or device control.
Breach of privacy and user trust.
Recommended Fixes:
Do not auto-link OAuth accounts based solely on email.
Prompt the user for verification when an existing account with the same email exists (e.g., via:
Password input,
Email confirmation,
Explicit linking process in settings).
Provide clear UI/UX for account linking that ensures user intent.
Suggested CVSS (3.1) Score:
8.8 (High)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
Regards,
Mehedi Hasan
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hi,
It seems pretty obvious you did not even try, because we DO ask for password authentication in the case the email has been found in our system after an OAuth connection.
If we are wrong, please provide some demonstration.