Introduction

In today’s world of responsible disclosure bug bounty platforms like HackerOne hold massive importance. They track researchers’ reports award bounties and maintain public Hall of Fame profiles showcasing each hacker’s achievements.
But what if someone could quietly take over your username and profile link without accessing your account?
Security researcher abuseing uncovered a critical process flaw that allowed exactly this all with just a spoofed email. For this clever discovery they were awarded a $100 bounty under Report ID #25281.
Let’s dive into how this bug worked why it mattered and how it was fixed.

What was the vulnerability?

At its core, the issue exploited HackerOne’s support process for handling username change requests.

Here’s the normal workflow

• A user emails [email protected] requesting a username change.
• The support team replies: Please confirm this request from the email associated…