How I Found Pre-Account Takeover Vulnerabilities

How I Found Pre-Account Takeover Vulnerabilities | by montaser mohsen - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I Found Pre-Account Takeover Vulnerabilities Hi everyone 👋 montaser mohsen Follow ~3 min read · March 25, 2026 (Updated: March 25, 2026) · Free: Yes My name is Montaser, and I'm a cybersecurity researcher interested in bug bounty and discovering real-world vulnerabilities. I've been focusing a lot on authentication-related bugs lately, and one of the most interesting (and underrated) vulnerabilities I keep finding is: Pre-Account Takeover So far, I've discovered this issue multiple times across different applications , including valid reports on bug bounty platforms. This write-up is a simple explanation of how this bug works, how I find it, and how you can start testing for it too. Also, this is part of my journey in bug bounty, so if the style feels a bit simple — I'm still learning and improving every day 😅 🔍 What is Pre-Account Takeover? Pre-Account Takeover is a vulnerability that happens before the victim even finishes creating or verifying their account . In simple terms: An attacker creates an account using the victim's email… and later takes control of it. 🔐 What is OAuth Misconfiguration? OAuth is a login system that allows users to sign in using services like: Google Facebook GitHub Instead of creating a password, users can just click: "Continue with Google" But here's the problem: Many applications implement OAuth incorrectly. These mistakes are called OAuth Misconfigurations , and they can lead to serious issues like account takeover. 💡 Simple Example Let's say a website allows: Signup using email/password Login using Google Now imagine this: The website does NOT verify email addresses It automatically links accounts based on email 👉 This creates a dangerous situation. An attacker can: Register your email first Then use Google login later And take over your account ⚙️ My Testing Scenario While testing a target (let's call it target.com ), I noticed that the application supports: Email/Password registration Google OAuth login So I decided to test the account linking logic. 1️⃣ Account Creation (Email/Password) I signed up using: Email: [email protected] Password: password ✅ The account was created successfully ❌ No email verification was required After that, I logged out. 2️⃣ Login via Google OAuth Next, I clicked: "Continue with Google" And logged in using the same email: [email protected] 3️⃣ The Result Here's what happened: The application automatically linked the Google account No verification was required No confirmation step 💥 I was able to log in to the same account using OAuth. 🎯 Why This is a Problem This means an attacker can: Pre-register a victim's email Wait for them to sign up using Google Gain full access to the account 👉 The victim doesn't even know the account was already created. 💥 Impact This vulnerability can lead to: Full account takeover Unauthorized access to user data Identity impersonation Account lockout And the worst part: The victim trusts the account because they think they created it. 🧠 Root Cause The issue usually comes from: ❌ No email verification ❌ Blind trust in OAuth email ❌ Automatic account linking ❌ No user confirmation 🛠️ How to Fix It To prevent this vulnerability: Enforce email verification before activating accounts Do not automatically link OAuth accounts Require user confirmation before linking Verify email ownership properly 🚀 Tips for Beginners If you're starting in bug bounty, this bug is a great target: Easy to test High impact Very common No advanced tools needed 🔎 Where to look: Signup flows Login systems OAuth integrations Account linking logic 🏁 Final Thoughts Pre-Account Takeover is one of those bugs that looks simple — but can have a huge impact. The fact that I've found it multiple times shows that many applications still get this wrong. If you're learning bug bounty: Focus on logic, not just technical bugs. Thanks for reading 🙏 I'll keep sharing more from my bug bounty journey. Feel free to connect or share your thoughts Facebook: https://facebook.com/montasermohsen98 Twitter (X): https://x.com/Montaser_M98 LinkedIn: https://linkedin.com/in/montasermohsen98 #bug-bounty #bug-bounty-writeup #bug-bounty-tips #web-security #oauth Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).