Improper Input Validation Leads To Email Spamming
Hi Guys, In this article, I will share how did I found Improper Input Validation Leads To Email Spamming on my target (redacted.com)
So while i was testing on the target as usual there were option to edit our first and last name on the profile. so when i tested on that function i noticed that there were no input character limit and i was thinking like what i can do rather that DOS!!!
So i started searching for any other interesting endpoints and suddenly one of the function caught me up.There was a option to invite other users via email, so when we try to invite any other user, they will receive mail like this
So When i checked the invitation mail i noticed that instead of username, my first and last were showing, So i was thinking like what if i changed my first and last name to any other spam message !!.So i edited the first & last name to like this
After changing the names, again used the invite function and i have received mail like this
The email was received from their official support centre mail ID. and the interesting part was, i’m able to invite an existing user also, the domain were not validating the user whether they exists or not, so by this way i can do spamming, phishing etc via their support mail id
So i reported this directly to the company.
2022 Aug 25: Reported
2022 Aug 26: Marked As Duplicate