Simple logic flaw lead to P3 bug in public BBP

Hello everyone

Tody I will talk about a simple bug that I found on public BBP at Bugcrowd just by understand the target without even open burp

It was a traditional website with different user roles

And there was 2 different methods for sign up

1- Using email and password

2- OAuth with Google or Facebook

So I created an account using email and password and when go to account settings I noticed that there is a button to delete your account

So the first thing I thought is to see if when I delete the account it require password or not (if not it is p4 at Bugcrowd) But I was require password

So here is come the first security issue ….

When I delete an account and try to sign up a new account with the same email of the deleted account I got an error so look like the website block your email from creating any account if you delete an account with this email

So how can I exploit this ?

In the website when you create an account using email and password you can’t login or access an account until you verify your email by clicking the link sent to your email inbox , but when you login via Facebook the website don’t register you with the email that you give the website the permission to access it through the OAuth process it

So the website redirect you to a page to specify your birth day and nick name and (optoinal) email address

So here I entered a random email address and noticed that I access the account without asked for email verification

Now attacker can login with Oauth through Facebook then enter victim email and access the account without need to verify it, then delete the account

Now the victim can’t sign up an account in the website due to security issue 1 which was mentioned above

Logic flaw | Blocking users from sign up on the site

1- Attacker sign up with OAuth

2- Attacker redirected to the personal info page (birth day, nickname, email)

3- Attacker enter victim email and notice that there is no need for email verification

4- Attacker go to account settings and delete the account

5- After some time victim will try to create an account on the website but he will not able to due to security issue 1