BOOK THIS SPACE FOR AD
ARTICLE ADSome exploits are brute force. Some require finesse.
This one? It was about being first.
It started like any other night. I was digging through the usual targets, scrolling through settings, tweaking requests, and trying to find that one thing everyone else missed.
That’s when I saw it.
I was inside my Professional/Educator account, just casually poking around. That’s when I stumbled upon something that should’ve been standard.
The “Change Email” option.
At first, I wasn’t expecting much — just another boring email update form. But then I noticed something… weird.
Just an input box and a Save button.
I had a hunch.
“What if I link an email that doesn’t belong to me?”
I typed in a random email. Let’s call it:
🔹 admin@example.com
Boom.
The system instantly sent a 6-digit OTP. Alright, fair enough. But then I tested the next step. I entered random numbers. No rate limiting. I tried a basic brute-force script. The OTP had no cooldown. Within minutes, I had guessed the code.
And just like that… I had linked someone else’s email to my account. But the real kicker? The email didn’t even need to exist yet. That meant I could pre-register emails before their real owners even signed up.
At first, this was just a weird bug. But the more I thought about it, the worse it got. This wasn’t just an account takeover. This was a preemptive strike.
If the real owner ever tried to sign up, they’d find out their email was already in use. The only way in? Reset the password.
But by then, I had already linked:
✅ My phone number.
✅ My MFA device.
✅ My security key.
Their email, my account.
Want to stop someone from making an account? Just claim their email first and require MFA only you control.
Imagine a student trying to register for a crucial exam. They can’t. Why? Because someone already “owns” their email.
This one was scary.
I could attach trusted emails to my profile, making phishing attacks way more convincing. Imagine getting an email from a verified professional account — who wouldn’t trust it?
Or worse…
What if I linked a school administrator’s email to my account? Suddenly, I’d have a legitimate identity to request sensitive student data.
This wasn’t just an account takeover. It was identity theft before identity even existed.