Today I am going to share one of my interesting findings on the private program . Since this is on a private program so I will be using it as target.com .
Let’s get started. I picked one of the subdomain a.target.com and there is a registration page to create a new account. There is an option that you can also signup using OAuth. So, I created one account using email. After that, It asked for the verification which i recieved on the email.
Then suddenly i thought why not sign up from the same email through google 0auth.
Boom i got my account created without any verification and then I tried to sign in using the same email and the verification got bypassed. Which makes it vulnerable to pre-account takeover via 0auth misconfiguration.
Some companies paid nothing. Some companies pays $$$
I hope you learned something new from this blog. I will write more of my findings soon so, stay tuned for my next write-up.
Thank you for reading it 😊