- Status Closed
-
Assigned To
cbay - Private
Opened by w4rcrypt - 09.01.2026
Last edited by cbay - 09.01.2026
FS#283 - Email Address Change Without Verification or User Notification Leading to Pre-Account Takeover
The application allows a logged-in user to change the account email address without requiring any verification of the new email address and without sending a notification to the original email owner. This behavior can be abused by an attacker to silently change the victim’s email address and perform account take over.
Vulnerability Type: Improper Account Management
Affected Functionality: Email change feature
Impact Severity: Medium
Steps to Reproduce:
1. Go to this following URL: https://admin.alwaysdata.com 2. Log in to a valid user account.
3. Navigate to Profile Settings.
4. Change the registered email address to Another email address(*You can use victim's email)
5. Submit the request
6. Observe that: No verification email is sent to the new email address and No notification or alert sent. 7. Now, Any attacker can enable 2MFA and lockout another email address even perform pre-account takeover.
Impact:
1. Account Lockout
2. Pre-Account Takeover
Recommendation:
1. Enforce mandatory verification for any email address change.
2. Send immediate security notifications to both the old and new email addresses.
Reference:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
Recording no verification.mp4
(42.89 MiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task