Mail.Ru Ext.B Scope Account Takeover [ $1500 ]

Hi i want to share how i found account takeover bug in .

I find vuln at … xss ,csrf etc… i found one xss bug but it duplicate

I notice it has many oauth ( gmail,vk,twitter,github..).

They check email address for oauth login.Eg: You login with gmail ( and login again with twitter ( that create with are same account.


In ,You can create account without confirm email.I create vk account with ( without confirm email.And login to with vk.

System did not found vk oauth email and they ask email address for email confirm

I enter vitcim’s email ( ) and click confirm .WTF …It direct to account without any other verify step.

I report to via havkerone.They accept my report and award me $1500.

Thank for reading…See you in next bug.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store