← Back to Portfolio ```

BATIST://writeup

Account Pre-Registration & Email Ownership Bypass Leading to Permanent User Lockout

Example Target: example.com

Severity: High / Critical

Category: Authentication • Identity Management • Account Security

Executive Summary

The platform allowed users to create accounts using any email address without verifying ownership. No confirmation email was required after signup, and the password recovery system did not send reset emails.

This enabled a pre-registration attack where an attacker could register an account using another person’s email address before the legitimate owner.

Impact

• Account pre-registration
• Email identity claiming
• Permanent user lockout
• Broken authentication flow
• Broken password recovery flow
• Platform trust compromise

Proof of Concept

An attacker registers using a victim’s email address. The account is created immediately without email verification. When the real owner later tries to register, the email is already marked as used.

If the victim attempts password recovery, no reset email is received. As a result, the legitimate user cannot register, login, or recover the account.

Observed Behavior

• No email verification
• No confirmation email
• No password reset email
• Email marked as used without ownership validation
• Legitimate user locked out