Misconfiguration lead to company identity theft via bypass email verification.

Hi all, this is hamzadzworm and today i want to share with you a logic issue that allowed me to bypass email verification then lead to identity theft

I got an invite from private company so i start checking it as a normal user

i updated my name to an htmli payload

after some time i found that iam able to create a support case

after creating new one i got an email that came from (support@company.com) but htmli in name didnt worked

because email is received from official company support email i was thinking that i have to get an htmli here to make identity theft

i found the possibility to add new comment on the created case and was directly thinking that i must receive an update in email about my case

and this is what happened after i added new comment

so as you saw htmli didnt worked when i created new case but it worked after i added a comment to get update about the case, so never stop while testing and keep digging :)

now email is received from company support email and htmli is working on it

did we finished?, not yet this is self htmli untile now and what left is to exploit it against other users

first step you i thinked about is change my email to other user email then make comment on support case and the new victim email will receive the update mail that contain htmli

but when i put other user email page got refreshed and aske me to verify email to make any action like access support case

i keep thinking for a while to get a logic error so i opened a new account with my email, then verify email

now i can access support cases with my new account and bypass for that was to open two tabs one contain my profile where i will change email and second one contain the support case page there is possibility that support case page won’t get refreshed

Steps:

i will update my email on profile tab

as you see the profile tab was refreshed and asked me to confirm email to access support cases but the other tab that was already opened didnt get refreshed or asked me to verify email

so i will add comment on the already opened tab of support cases and update mail with htmli that sent from official support of company will go to the email that it pending verification

thats how i was able to bypass email verification and exploit company supper cases to sent emails with any subject and content i want to any email i want

Result:

i hope you enjoyed it waiting for your reviews if you liked it i will share more logic issues with unique ways -.-