Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by ciphernest7 - 01.07.2026
Last edited by cbay - 02.07.2026

FS#362 - Email Verification Bypass via Google OAuth Account Linking

Dear Security Team, I hope you are doing well. I would like to responsibly disclose a potential authentication and account-linking issue identified during testing of the Google OAuth login functionality. Vulnerability Summary Category: Authentication / Improper Account Verification Severity: High Description During testing, I observed that an account created using the traditional email and password registration process could be linked with a Google OAuth identity before the email address had been verified. Although the application continued to enforce email verification for password-based authentication, the Google OAuth account was successfully associated with the unverified profile. This behavior suggests that OAuth account linking occurs without first confirming that the email ownership verification process has been completed. Additionally, after the OAuth linking process, the application redirected to an OAuth callback endpoint that returned a 404 Page Not Found response, indicating an inconsistency in the authentication workflow. Steps to Reproduce

Register a new account using Email and Password.
Do not verify the email address.
Log out of the account.
Select Sign in with Google.
Authenticate using the same Google account associated with the registered email address.
Observe that the application sends the following notification: A (Google) OAuth connection has been configured on your profile.
Follow the OAuth authentication flow.
The application redirects to: /oauth/google/callback/
Observe that the endpoint returns: 404 - Page Not Found
Open a new browser session and attempt to log in using the original email and password.
The application still requires email verification before allowing password-based authentication. Observed Behavior • Google OAuth successfully links to the account before email verification is completed. • Email/password authentication continues to require email verification. • OAuth callback results in a 404 response, indicating an incomplete or inconsistent authentication flow. Expected Behavior The application should verify ownership of the registered email address before permitting external identity providers (such as Google OAuth) to be linked with the account, unless this behavior is explicitly intended. If OAuth login is intended to satisfy email ownership verification, the application should consistently mark the account as verified and complete the authentication flow without errors. Security Impact Depending on the intended authentication design, this behavior may result in: • Inconsistent authentication state. • Improper account-linking logic. • Potential bypass of email verification requirements. • Confusion regarding account ownership validation. • Increased attack surface if account-linking validation is not consistently enforced. Although I did not observe direct account takeover during testing, the current behavior indicates that the account verification and OAuth linking processes may not be consistently enforced. Recommendation I recommend reviewing the OAuth account-linking workflow to ensure that: • Email ownership verification is consistently enforced before linking external identity providers, or • Successful OAuth authentication is explicitly treated as verified email ownership and the account state is updated accordingly. • OAuth callback endpoints are correctly configured to prevent unexpected 404 responses. • Account verification logic remains consistent across all supported authentication methods. Conclusion The observed behavior suggests an inconsistency between the traditional email verification process and Google OAuth account linking. Reviewing the authentication workflow and enforcing consistent account verification logic will help reduce the risk of authentication-related issues and improve the overall security posture of the platform. This report is submitted under responsible disclosure. I would be happy to provide any additional information or assist with validation if required. Kind regards, Cyber_Subhash

Closed by  cbay
02.07.2026 07:18
Reason for closing:  Invalid
Admin
cbay commented on 02.07.2026 07:18

Hello,

This behavior suggests that OAuth account linking occurs without first confirming that the email ownership verification process has been completed.

That's true, and I don't see any issue with that.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing