Overwriting Accounts via Android Signup Logic Flaw
Press enter or click to view image in full size
Introduction
While reviewing an old Vine bug bounty report, I found an interesting issue that had nothing to do with stolen sessions or leaked tokens. A simple logic flaw in the Android signup flow allowed an attacker to abuse email case sensitivity and lock users out of their own accounts. I decided to write about this report because bugs like this still exist today, and with the right approach, even beginners can find similar issues and earn their first bug bounty.
Vulnerability Overview
- Platform: Vine Android Application
- Vulnerability Type: Account overwrite / Denial of account access
- Root Cause: Case-sensitive email handling during signup
- Impact: Victim permanently locked out of original account
- Bounty Paid: $280
- Report ID: #187714
Understanding the Root Cause
Email addresses are generally treated as case-insensitive.
For example: