Our Services

  • Penetration Testing (Web Application, Mobile Application, Network)
  • Static Application Security Testing (SAST)
  • Dynamic Code Analysis (DCA)
  • AWS Cloud Solutions

From JWT Expiry to Full Account Takeover: A Bug Bounty Journey

 

Introduction

This write-up details a vulnerability chain I discovered during a private bug bounty program that led to full account takeover (AC takeover) by exploiting delayed session expiration and improper access control. Due to a non-disclosure agreement, I cannot reveal the program’s name, but the vulnerability flow, technical reasoning, and the process of turning a low-severity bug into a critical issue are worth sharing.

The purpose of this write-up is not only to demonstrate the technical journey but also to highlight the importance of persistence, lateral thinking, and disciplined testing in bug bounty hunting.

Background

I began testing this program on February 5th, after facing a frustrating month filled with low bounties and duplicate reports. In an effort to reset my mindset, I immersed myself in community blogs, read up on modern attack strategies, and collected various small tips to refine my methodology.

This program, built entirely on AWS and designed to monitor AWS accounts, became my next target. After a week of exploration, I initially found three P4 and one P3 issues. Although the program doesn’t typically reward P4-level bugs, they appreciated the findings and awarded bounties regardless. However, these findings didn’t meet the expectations I had set for myself — until I stumbled upon a JWT expiration flaw that eventually escalated to a P1 full account takeover.

The Initial Discovery: JWT Expiry Delay

While testing user sessions, I discovered that JSON Web Tokens (JWTs) issued to users (including admins) were not expiring immediately upon role revocation or user removal. Instead, JWTs remained active for 15 minutes after removal, during which the session was still treated as valid.

Initially, I reported this behavior as a low-risk session management issue. The program acknowledged it as a business logic flaw but marked it as “Won’t Fix” due to the perceived low risk and lack of clear exploitability.

Turning the Flaw into Exploitation

Unwilling to give up, I reviewed the entire flow again with a fresh perspective. That night, I retraced the vulnerability logic, identified gaps in privilege validation, and conceptualized a scenario that could result in complete project takeover.

Vulnerability Chain Summary

  1. Delayed JWT Expiry: Admin tokens remain valid for 15 minutes even after the user is removed from the project.

  2. Improper Privilege Enforcement: A removed admin (still within the valid JWT session) can still perform restricted actions, such as inviting users to the project.

  3. Privilege Escalation via Self-Invitation: The removed admin invites themselves back to the project while the token is still valid, regaining full admin privileges.

  4. Account Takeover: Using the regained access, the attacker removes the default admin and becomes the sole project admin.

Scenario Demonstration

Actors:

  • Jon – Default Admin

  • Tyrion – Invited Admin (assigned by Jon)

Steps:

  1. Jon removes Tyrion from the project for violating rules.

  2. Tyrion, still logged in, receives an email confirming removal. However, his JWT remains valid for the next 15 minutes.

  3. Within that timeframe, Tyrion invites himself back to the project using the still-active session.

  4. The system accepts the invitation request without revalidating current privileges.

  5. Tyrion regains access, removes Jon from the project, and becomes the sole admin — effectively achieving full account takeover.

Key Exploit Insight

Although the original bug (delayed token expiration) was not considered exploitable, lateral thinking revealed a critical privilege escalation path. By combining session timing, improper role enforcement, and self-invitation logic, it was possible to convert a "business logic" issue into a high-impact vulnerability.

Lessons Learned: Four Principles of Bug Bounty Hunting

  1. Invest Time Strategically
    Allocate at least one day for reconnaissance and two weeks for deep testing of a single program.

  2. Don’t Give Up Too Early
    Even after weeks of testing without high-impact results, a breakthrough is still possible with persistence.

  3. Think Before You Report
    A small bug may become a critical one with lateral thinking. Avoid rushing reports — explore all possible angles.

  4. Focus on Learning, Not Just Rewards
    Continuous learning often leads to better results than chasing quick wins. Quality over quantity.

Timeline

  • Night: Vulnerability escalated to AC takeover and reported

  • Morning (~5 hours later): Received confirmation and a P1 bounty

Conclusion

This case highlights the significance of understanding application logic beyond surface-level testing. While the JWT delay alone wasn't dangerous, its interaction with invitation mechanisms and privilege enforcement exposed a major flaw.

This experience reinforced that impact isn’t always in the bug — it’s in how you think about it. By practicing patience and critical analysis, a seemingly low-severity issue can become a high-priority vulnerability.

Comments

Post a Comment

Dipak Prajapati

Co-Founder

Penetration Tester | Ethical Hacker

6+ Years in Bug Bounty & Pen-testing, Acknowledged by 70+ Organizations,
Specializing in Web, Mobile & API Security Testing

In a world that relies on technology for nearly every aspect of daily life, I founded this cybersecurity company with a clear mission: to protect individuals, businesses, and institutions from the rising tide of digital threats. Having witnessed firsthand the consequences of data breaches, cyberattacks, and vulnerabilities in crucial systems, I knew the time had come for a more proactive, intelligent approach to security.

Our purpose is to create a safer digital landscape, where innovation can thrive without fear. Through cutting-edge security solutions—whether it's penetration testing, application security, or cloud infrastructure protection—we empower organizations to take control of their digital assets and defend themselves against evolving cyber risks.

I believe in a future where security isn’t a barrier to progress but a foundation for growth, and our company exists to make that future possible.