The Ghost Email Heist — Stealing Accounts from the Future

7 hours ago 8
BOOK THIS SPACE FOR AD
ARTICLE AD

shxsu1

Some exploits are brute force. Some require finesse.

This one? It was about being first.

It started like any other night. I was digging through the usual targets, scrolling through settings, tweaking requests, and trying to find that one thing everyone else missed.

That’s when I saw it.

I was inside my Professional/Educator account, just casually poking around. That’s when I stumbled upon something that should’ve been standard.

The “Change Email” option.

At first, I wasn’t expecting much — just another boring email update form. But then I noticed something… weird.

Just an input box and a Save button.

I had a hunch.

“What if I link an email that doesn’t belong to me?”

I typed in a random email. Let’s call it:

🔹 admin@example.com

Boom.

The system instantly sent a 6-digit OTP. Alright, fair enough. But then I tested the next step. I entered random numbers. No rate limiting. I tried a basic brute-force script. The OTP had no cooldown. Within minutes, I had guessed the code.

And just like that… I had linked someone else’s email to my account. But the real kicker? The email didn’t even need to exist yet. That meant I could pre-register emails before their real owners even signed up.

At first, this was just a weird bug. But the more I thought about it, the worse it got. This wasn’t just an account takeover. This was a preemptive strike.

If the real owner ever tried to sign up, they’d find out their email was already in use. The only way in? Reset the password.

But by then, I had already linked:
✅ My phone number.
✅ My MFA device.
✅ My security key.

Their email, my account.

Want to stop someone from making an account? Just claim their email first and require MFA only you control.

Imagine a student trying to register for a crucial exam. They can’t. Why? Because someone already “owns” their email.

This one was scary.

I could attach trusted emails to my profile, making phishing attacks way more convincing. Imagine getting an email from a verified professional account — who wouldn’t trust it?

Or worse…

What if I linked a school administrator’s email to my account? Suddenly, I’d have a legitimate identity to request sensitive student data.

This wasn’t just an account takeover. It was identity theft before identity even existed.

Read Entire Article