.png)
1 day ago
4 BOOK THIS SPACE FOR AD
ARTICLE ADAbout Myself:
I am Dinesh Narasimman ( you can call me as professor ). I am a Cybersecurity Researcher who is trying to become the best version of myself. This is my first write-up on an interesting bug, so if you find any grammatical errors, please forgive me because I am not going to use any AI. Without any delay, let’s jump into the point.
About Target:
My target is a Platform as a Service (PaaS) provider (Name should not be revealed as per their policy). I got the program invite on the YesWeHack Bugbounty platform. Yes, it is a private program.
The Exploration:
After I accepted their invite, I started using their application for about 2 to 3 hours as a normal user. They have a lot of features in their application, which literally blew my mind (Literal Adrenaline Rush). There is an organization setup that has user management and roles as well. These two features caught my eyes.
We can invite other users to our organization with a specific role(who do not have an account on clever-cloud.com), and the invite email looked like this.2. We can add a secondary email to our account.
Here is the Bug
You can notice that there are two options in the invite email, like “SignUp” and “Join [Organization Name]”.
Now Consider this. I have two accounts; let’s call them an “attacker” account and a “victim” account.
The steps are,
I invited a user to my organization from the attacker’s session (Let’s call the email attacker2@abc.com). The invite email in attacker2@abc.com had two options like “Signup” and “Join [Organization Name]”.I copied the link of the signup option and pasted it into the browser in which I logged into the victim’s account.Boom! The attacker2@abc.com email has been added to the victim’s account as a secondary email.I navigate to the forgot password page. I checked whether I am getting the forgot password link in attacker2@abc.com. Yes, I got the forgot password link and was able to change the victim account’s password.To put it simply, open the invite link in the victim’s session. → To make it clearer, make the victim open your invite link in his/her session.
How I showcased the Impact ( Here comes the Magic )
The main thing here is the sign-up option in the invitation email. I made a CSRF POC with this link and opened it in the victim’s account. Still, it worked very well.
Then what next? → Reported → Got a Reward of 800 EUR ( It is my second bounty ).
The Last Part
I am confident that I blew your mind with this write-up. If you think this write-up added any value to you (of course you will), do clap and give your feedback about my write-up. I am always open to improving myself.
To see my YouTube channel, please click here. ( If you find any interesting thing in my channel, please do subscribe)
To connect, click the ink
Finally, Thanks for reading
Bengali (Bangladesh) · 
English (United States) ·