Interactive companions to the blog posts. Each demo is isolated per browser session.
Attacker registers with the victim's email before the victim does. The victim's own SSO login activates the attacker's account.
Precondition: knowing the target email and getting there first.
Try itVictim has a legitimate account. Any SSO provider asserting the same email is silently merged in - no prompt, no notification.
Precondition: obtaining an OAuth token at any one of the trusted providers.
Try itLinking a new sign-in method requires re-authenticating via an already-linked method first.
Try it