A critical account takeover vulnerability on gambling platform Gamdom was publicly disclosed in a Discord server after the researcher claims their bounty report was mishandled and underpaid.
On June 16, 2026, an anonymous security researcher dropped a detailed account takeover (ATO) exploit into a public gambling community Discord, exposing a significant flaw in Gamdom’s authentication system – and igniting a heated argument about how the platform handled the disclosure.
Vulnerability
The researcher outlined a multi-step attack chain that could allow a malicious actor to permanently hijack any Gamdom user’s account with minimal effort, provided they knew the victim’s email address – information that is often publicly available.
The attack flow worked as follows:
- An attacker creates a Gamdom account using Steam OAuth authentication.
- The attacker adds the victim’s email address to that account – without any email verification required.
- When the victim later signs up or logs in using Google OAuth with the same email address, the platform detects the email collision and invalidates the attacker’s active session.
- However, the attacker’s Steam identity remains linked to the now-victim-owned account.
- The attacker simply re-authenticates via Steam and regains full, persistent access to the victim’s account.
The researcher described it as a “one-click persistent account takeover” – requiring no special tools, no malware, and no direct interaction from the victim beyond simply logging into their own account.
Bounty Dispute
According to the researcher, the vulnerability was reported to Gamdom five hours before the public disclosure. Rather than receiving a meaningful response, they claim their initial report email was terminated, allegedly flagged for “botting.” Support staff eventually acknowledged the report and sent a $500 payment.
The researcher was furious. “This n***a has the audacity to make posts on twitter talking about how casinos ruin peoples lives and couldn’t even pay me a good bounty,” they wrote in the chat, referring to Gamdom owner Felix.
Multiple users argued the bounty was far below industry standard for a vulnerability of this severity. One user noted that Duel, a competing gambling platform, pays “$30k+ per critical bug.” Another pointed out that even smaller site Monkeytilt had paid larger bounties for less severe issues.
“Even Ossi sent 15 [thousand] and this man is his clown,” one user remarked.
Felix Pushes Back
Felix, Gamdom’s owner, was present in the Discord during the disclosure and disputed the researcher’s characterisation of the vulnerability.
“It was only possible with social engineering involved so non-critical,” Felix argued, suggesting that because an attacker needed to know the victim’s email address, the exploit required social engineering and therefore didn’t warrant a high-severity classification.
This argument was roundly rejected by others in the chat.
“Is he saying that it is social engineering because you need to find someone’s email?” one user responded. Another pointed out that email addresses for streamers and public figures are almost always publicly available, making the “social engineering” barrier essentially non-existent.
The researcher pushed back directly: “You can’t possibly consider a user signing up with Google OAuth social engineering.”
Felix later softened slightly, saying “from what I heard, but fair, I’ll check if there was anything again” — and acknowledged that Gamdom generally pays good bounties. However, no public commitment to increase the payout was made during the conversation.
The Gamdom situation is not unique. Poor security and broken bug bounty programs are a widespread problem across online gambling platforms. We’ve covered the most common vulnerabilities found on cryptocasino sites and why researchers rarely get fairly compensated for finding them — read more here: Security Vulnerabilities in Gambling Sites
