Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Create miscellaneous support ticket on anyone's account through [email protected] email

None
H
HackerOne
Submitted None

Team Summary

Official summary from HackerOne

The reporter was able to submit support tickets via email as any user, similar to https://hackerone.com/reports/2068830 except via email. >As of May 15, 2023, this email no longer accepts new requests. To contact us, please use our HackerOne Support Portal, https://support.hackerone.com/support/home. but it would also create a ticket. The hackers reporting #2068830, #2082680 caused us to take another look at this previously informative report (as it was a dupe, and then we realised it was actually different systems: email vs the actual support tool), so we chose to award both. We later discovered this was already mitigated internally - we already ensured it was resolved so nobody took a look at it, but now we also delete the ticket created. Something that's different from usual reports we get is that this was an asset not considered in scope, so we didn't have a concrete bounty table and it brought our team to the drawing board on how we want to handle such reports. Whilst we want to encourage hackers to hack on non-listed assets belonging to us, and also out-of-scope assets (i.e. for managed services) that are on us, such as misconfigurations or information disclosure. Currently, it's not something we have clear guidelines for. We opted to give a bonus without bounty instead to speed the process along.

Actions:
View on HackerOne
Reported by sayaanalam

Vulnerability Details

Technical details and impact analysis

Misconfiguration
**Summary:** I hope you're well, Hackerone recently changed from Zendesk to Freshdesk , that introduced this vulnerability , This asset is not in scope but the reason I'm reporting this because of the severity of this vulnerability as this can cause high impact on integrity of support desk. **Description:** This vulnerability is similar to my previous finding [on Dropbox program](https://infosecwriteups.com/mail-server-misconfiguration-leads-to-sending-a-fax-from-anyones-account-on-hellofax-dropbox-bbp-aab3d97ab4e7?source=user_profile---------0----------------------------]) , So when we create a support ticket by sending email to [email protected] then it creates a support ticket on Hackerone Support portal on Victim's support center account , I found that we can create support ticket on anyone's by sending a fake email to [email protected] , by putting victim's email in `FROM` field. This would create a support ticket on victim's account , attacker can use this to create miscellaneous tickets on anyone's account or they can create ticket on behalf of **Hackerone** staff. You can check the ticket (441828) , I created this ticket by sending a fake email. We can use any fake emailer service for e.g https://emkei.cz/ ### Steps To Reproduce 1. Go to https://emkei.cz/ 2. Put victim's email in `From E-mail: ` field and [email protected] in `To:` field 3. Enter anything in name , content , subject and click Send ██████ * Now a ticket would be created on behalf of victim ## Impact * Using this bug an attacker can create miscellaneous tickets on behalf of victim or create unnecessary noise on victim's support desk account * Attacker can create internal ticket on behalf of HackerOne employees Best Regards **Sayaan Alam**

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$1000.00

Submitted

Weakness

Misconfiguration