Basically I was checking my private programs at hackerone. I came across a program who maintains a team management web application. Basically A team management applications are good for Authentication, Access Control, IDOR and Privilege Escalation issues. So I though why not give it a shot.

So while testing I noticed I noticed in an endpoint like this https://dashboard.website.com/profile/team one team member can impersonate other team member if he just knows the email address.

I noticed It is possible to create team and invite members from https://dashboard.website.com, however the invitation looked like this https://dashboard.website.com/confirm-signup-invitation?lang=en&email=abc@gmail.com , which means if as a team creator I invite two users , and among them first user knows the second users email address , first user can join as the second user. However the administrator will think the second user has joined not the first user. Now when this will happen the second user will not be able to join from the invitation email, as his mail is already registered. Now with such imposter characteristic the first user may change application details as the second user, contact support to update email address of the account.

The bug worked like this

• So Step by Step Go to https://dashboard.website.com/profile/team.

• Create a team and send an invitation to a Member1.

• Send another invitation to Member2.

• Now consider Member1 knows Member2 is joining in the team.

• Member1 will modify his invitation token and user Member2 email address.

• Member 1 will sign up and have full access to the application as Member2.

• You will think Member2 has joined and Member1 is still not accepted.

• Member1 has successfully impersonated Member2 via IDOR.

The Impact was pretty clear in this scenario

Firstly User1 can impersonate User2

• Secondly Administrator will belief the changes coming from User2, when they are coming from User1.

• When User2 is impersonated , he cannot use that email to sign up.

• While imposter User1 may already contact support to request change email.

So I reported the bug to the Team and it was set to a medium category bug

As an IDOR issue the fix was quick and I was paid a bounty of $$$

Takeaways:

1. Try out things at Team Management Applications
2. Don't hesitate trying out repetitive emails
3. Check access control based on user permissions

If You have any questions / queries do let me know via comment section.