Block vectim from resetting his password

Pease upon you everone ..

today i am going to discuss an abnormal bug that allowed me to block legitimate user from resetting his password in the same time he can reset the password for the attacker email !

seems weired just follow …

site not allowd to disclose its reports so let’s consider it site.com.

while investigating site for more than few weeks i came across a functionality that allow you to add a user beside your primary user. but the bug was that u can modify primary user email and here is the issue.

what i did was that i have modified the primary email to we can say vectim email (vectim@gmail.com)// i will explain why we called it vectim below. and what that does is when a real-primary mail request to reset his password the reset token will be sent to vectim@gmail.com to rest the real-primary mail

and when vectim@gmail.com request to reset his password he will recieve an email to reset real-primary mail too, so her we denied legitimate user form resetting his password.

here is how to reproduce:

1- enter your account with real-primary@gmail.com and modify the primary mail to vectim@gmail.com

2- now if real-primary@gmial.com request a reset token the link it will be sent to vectim@gmail.com and it will reset real-primary@gmail.com

3- when vectim@gmail.com request to reset his password he also will recieve email to reset real-primary@gmail.com and he can’t now reset his password

thank you for reading ! hope you enjoyed it…

you can find me on twitter @0xMohamed_Ayad

also linkedin @0xmh3yad