Security Vulnerability Report – Account Takeover via Email Change Without OTP [3]
Dear Crossfire PH Security / Support Team,
I would like to responsibly report a security loophole I have identified in your account security system.
Issue 1: Email Change Without Old Email OTP Verification
When a user's password is compromised, an attacker who knows the password can change the registered email address without requiring OTP verification from the original/old email. After changing the email to one they control, the attacker can receive all future OTPs and fully take over the account — locking out the legitimate owner with no way to recover it.
Why this is serious:
It completely byp***** email-based security
The original owner receives no notification or chance to stop the change
It makes your email OTP system ineffective against account takeovers
Issue 2: STOVE Authenticator App is Not Accessible to All Users
While I understand that Crossfire PH now uses the STOVE authenticator app as a security measure, this solution is not practical for a large portion of your player base because:
Not all users own a smartphone capable of running the app
A significant number of players are underage and may not have personal mobile devices
This creates an unequal security experience where many users are left with weaker account protection through no fault of their own.
Issue 3: Removal of Security Questions
The previous security question system provided an additional verification layer that was accessible to all users regardless of device ownership. Removing it without a universally accessible replacement has weakened overall account security for a large segment of your community.
Suggested Fixes:
Require OTP from the current/old email before any email change is approved
Restore security questions or introduce an equivalent alternative that does not require a smartphone
Consider adding account change notifications so owners are alerted immediately
Implement login anomaly detection for new devices or locations
I am reporting this in good faith to help protect the Crossfire PH community. I have not exploited this vulnerability and am not disclosing it publicly until it has been addressed.
Please feel free to reach out for further clarification.
Regards,
shikakushihori/KhanTuhTahn
#FixTheBug #SecurityAlert #PlayerSafety #GameSecurity #SecureOurAccounts#CrossfirePH #CrossfirePhilippines #CFPH #Crossfire
#AccountSecurity #ResponsibleDisclosure #CyberSecurity #AccountProtection #SecurityVulnerability
To enter a comment Log In Please
UP UP UP UP CFPH!
UP to this CFPH!
100 % agree on Issue 1: Email Change Without Old Email OTP Verification.
Thank you for the suggestion. Rest assured that it will reach our game developers for review.