Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 12.02.2026
Last edited by cbay - 26.02.2026

FS#296 - Account Takeover via Improper OAuth Lifecycle Management

The application allows users to register and authenticate using Google OAuth.
However, when a user changes their email address, the application fails to properly manage the OAuth binding.

As a result, the original Google account remains permanently linked to the user account, even after the email is updated.

Steps to Reproduce

1- Register a new account using Google OAuth with: user1@gmail.com 2- Navigate to Account Settings
3- Change the email address to: user2@gmail.com 4- During this process, the application requires setting a new password,
resulting in two active authentication methods: Email & Password and Google OAuth
5- Log out
6- Log in again using Google OAuth with the original Google account

Actual Result

Login via Google OAuth succeeds
The original Google account still has full access
Email change and password setup do not affect OAuth access

Impact

Persistent unauthorized access
Full account takeover
Users cannot secure their accounts by changing email
High risk in cases of Gmail compromise or lost devices

Attack Scenario
Attacker gains access to the victim’s Google account
Victim changes the email to secure the account
Attacker continues logging in via Google OAuth
Long-term access without detection

Root Cause

OAuth identity is permanently bound to the account
Email changes do not trigger OAuth revocation
Missing OAuth lifecycle management controls

Recommended Fix

Revoke all OAuth sessions on email change
Require re-authentication and OAuth re-linking
Allow users to disconnect OAuth providers

Thank You,

Waleed Anwar

Closed by  cbay
26.02.2026 10:38
Reason for closing:  Fixed

Any Update Sir?

Any Update Sir?

Admin
cbay commented on 26.02.2026 08:38

Hello,

Can you confirm that the issue is fixed?

Kind regards,
Cyril

I confirmed, it's Fixed.

Admin
cbay commented on 26.02.2026 10:38

OK, you can claim your bounty by opening a support ticket then.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing