Zero Click Account Takeover

Here I noticed that the application allowed users to create an account using Social Logins like Facebook, Google, Apple, etc.

So I started testing the Oauth flow of the application. My major focus here was on the Facebook login.

While I was testing, I noticed that the application was trusting the data received from Facebook. This included Name, email, DOB, etc. The application was automatically verifying it.
So I just needed to find a way to edit my email in the request and an idea popped into my head.

What if I sign up with a mobile number?

Would the application ask the user to provide their email address since it didn’t receive the data through Facebook?

It happened exactly as I thought!!

So I signed up on the application through Facebook (The Facebook account was created using a phone number) and because the application couldn’t retrieve the user’s email, a dialog box popped up prompting the user to enter an email.

In the dialog box, I provided the victim’s email.