Account Takeover

Email Change No Reauth

Changing the account email requires only a session cookie, not the current password, so a stolen session lets the attacker rotate the email and trigger a password reset to take over.

CWE-287CWE-862
Back to hub Reload scenario
ATO chain 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Email change does not require the current password or step-up auth.
  • Old email is not notified.
  • Reset link goes to the new email immediately.
    • 
        

      


      

      

        
Signals

        
        

          
Bug

          
// no password check before updating email

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.