CIRCLE WITH A DOT

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Changing your email to someone else's locks them out.

1 Posts 1 Posters 0 Views

E This user is from outside of this forum
E This user is from outside of this forum
edoardotosin@infosec.exchange

wrote last edited by

#1

Changing your email to someone else's locks them out. Registration checked for duplicate addresses; the update endpoint didn't.
I found this in a real cloud portal. Password reset doesn't recover the account; it silently logs the victim into the wrong one.
https://go.edoardotosin.com/vdp-email-2026
#BugBounty #WebSecurity #AppSec
1 Reply Last reply
1
0
R relay@relay.infosec.exchange shared this topic

Log in to reply