Broken Authentication(Vulnerable Email-change and Forgot-Password Feature)

Broken Authentication(Vulnerable Email-change and Forgot-Password Feature)

Hello Hackers,

Let’s read some Cybersecurity blogs

Today, we will learn about a very interesting vulnerability from the Email-Change and Forgot-PasswordFeature which states the web application is vulnerable to Broken-Authentication

When I was Bug hunting over the most popular song app Spotify, I came across an Email-changing feature, so tried to do some weird tricks.

Vulnerability Reproduction Steps:
  • Let’s suppose there are two email IDs email1@wearehackerone.com and email2@wearehackerone.com.
  • Request for forgot password link from email1@wearehackerone.com, and do not use this link.
  • The second part of exploiting this vulnerability is to change the email from an account(like email1@wearehackerone.com —-> email2@wearehackerone.com).
  • Now the account is linked with “email2@wearehackerone.com“.
  • Now use the Forgot password link of email1@wearehackerone.com which was previously sent.
  • Once you have changed the password for the account(Now technically the password should not be changed as email is changed).
  • Now useemail2@wearehackerone.com and Reset Password….. Surprisingly you will be logged in…


  • Suppose my email account is compromised, The attacker asks for a password reset link for my Spotify account.
  • Once I got to know, I change my email address on my Spotify account.
  • But the attacker can still reset my password using the reset link.

I reported this to “Spotify” but they marked it asNot applicable, So I decided to disclose this report…

Video POC:

That’s all for the day guys…

Happy Hacking!!

Share this post

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *