@dk82hg found the email change flow on indiehackers.com was vulnerable to an insecure direct object reference (IDOR) which allowed an attacker to change the email associated with a user account to one they owned and ultimately take over a victim’s account in certain situations. A fix was shipped to confirm authentication on account actions.
Note: This bug was accepted and received before our minimum bounty amounts were increased on August 25, 2021.