Invalid

**Summary**: While testing the OAuth implementation on your platform, I discovered a critical vulnerability that allows a malicious attacker to take over any victim’s account and maintain persistent access even if the victim later verifies their email or changes their password. This issue arises because the application does not properly validate and enforce ownership of email addresses when accounts are linked via GitHub OAuth and subsequently changed to a victim’s email. As a result, the attacker effectively “controls both sides of the victim’s account lifecycle. **Steps to Reproduce**: The attacker signs up on the platform using their GitHub OAuth account. After registration, the attacker goes to account settings and changes their email address to the victim’s email address. If the victim already exists: the attacker can trick them into re-verifying. If the victim does not exist: the attacker can still set the victim’s email. The victim receives a verification email and, believing it is legitimate, verifies it. At this point, the victim assumes ownership of the account. However, when the attacker logs in again using GitHub OAuth, they are still logged into the victim’s account. This results in persistent access for the attacker, even after the victim sets a password or makes account changes. **During further testing, I discovered that if the victim removes the backup email from account settings and then attacker logs in again with GitHub OAuth, they are once again logged directly into the victim’s account — and the backup email is automatically re-added without validation. This behavior further strengthens the persistence of the attack and demonstrates that the system is automatically restoring the attacker’s identity link, making it even harder for the victim to break free from the takeover**. **Severity (CVSS v3.1)**: Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): High CVSS Base Score: 9.8 (Critical) **Recommendation**: Enforce strict email ownership verification before binding an external OAuth identity (e.g., GitHub). Prevent attackers from changing an account’s email to an email that already exists in the system. Ensure that OAuth logins are tied to verified identities, not just email strings, to avoid collisions. ## Impact Full Account Takeover (ATO): The attacker gains complete access to the victim’s account. Confidentiality: The attacker can view all sensitive information of the victim. Integrity: The attacker can modify or delete the victim’s data. Availability: The attacker can lock the victim out of their own account, effectively causing denial of service. This vulnerability allows a complete compromise of any account and could severely impact users’ trust and data security.