Misconfiguration lead to company identity theft via bypass email verification.
Hi all, this is hamzadzworm and today i want to share with you a logic issue that allowed me to bypass email verification then lead to identity theft
I got an invite from private company so i start checking it as a normal user
i updated my name to an htmli payload
after some time i found that iam able to create a support case
after creating new one i got an email that came from (support@company.com) but htmli in name didnt worked
because email is received from official company support email i was thinking that i have to get an htmli here to make identity theft
i found the possibility to add new comment on the created case and was directly thinking that i must receive an update in email about my case
and this is what happened after i added new comment
so as you saw htmli didnt worked when i created new case but it worked after i added a comment to get update about the case, so never stop while testing and keep digging :)
now email is received from company support email and htmli is working on it
did we finished?, not yet this is self htmli untile now and what left is to exploit it against other users
first step you i thinked about is change my email to other user email then make comment on support case and the new victim email will receive the update mail that contain htmli
but when i put other user email page got refreshed and aske me to verify email to make any action like access support case
i keep thinking for a while to get a logic error so i opened a new account with my email, then verify email
now i can access support cases with my new account and bypass for that was to open two tabs one contain my profile where i will change email and second one contain the support case page there is possibility that support case page won’t get refreshed
Steps:
i will update my email on profile tab
as you see the profile tab was refreshed and asked me to confirm email to access support cases but the other tab that was already opened didnt get refreshed or asked me to verify email
so i will add comment on the already opened tab of support cases and update mail with htmli that sent from official support of company will go to the email that it pending verification
thats how i was able to bypass email verification and exploit company supper cases to sent emails with any subject and content i want to any email i want
Result:
i hope you enjoyed it waiting for your reviews if you liked it i will share more logic issues with unique ways -.-