An effortless Social Media and Internal Workspace takeover via Helpdesk.

Recently, I discovered a remarkably simple vulnerability that allowed me to access nearly all the emails sent to the company's email address through their helpdesk. With this access, taking over their social media and internal workspace was a piece of cake.

Before we delve into the vulnerability details, let's first understand how the ticketing system works.

Company: Orange.com (hypothetical)

1. A user named Potato uses their email Potato@gmail.com to visit Orange.com and create an account. After authentication, Potato can create and access their support tickets via support.orange.com/tickets.
2. Potato sends an email to support@Orange.com, which also creates a ticket that Potato can access via support.orange.com/tickets.

This is a common way companies handle support tickets. However, a significant problem arises if Orange.com allows users to create accounts without email verification:

• Orange.com allows users to register without email verification.
• Orange.com has several social media accounts (Facebook, Instagram, Twitter, etc.) registered with the email support@orange.com.
• An attacker creates an account on Orange.com using the email notification@facebookmail.com and goes to support.orange.com/tickets.
• The attacker goes to Facebook.com, navigates to the reset-password page, and enters the email support@orange.com.
• Now, notification@facebookmail.com sends an email to support@orange.com with a password reset link.
• As in step 2 (Potato sends an email…com/tickets), since an email from notification@facebookmail.com to support@orange.com with a password reset link will be considered a ticket, it will appear on support.orange.com/tickets.
• The attacker, having an account with the email notification@facebookmail.com on Orange.com, can now easily access the password reset link on support.orange.com/tickets.
• Similarly, an attacker could create an account on Orange.com with the email noreply@google.com. This would allow the attacker to access all emails sent from Google to support@orange.com, including password reset links, reset codes, verification OTP codes, etc.

Therefore, the only requirements are:

• No email verification on signup, plus the ability to view our own tickets.

This was exactly the case on target.com:

1. I created an account on target.com/signup using the email notification@facebookmail.com and went directly to target.com/support/tickets.

2. Then, I visited the Facebook Password Reset page and entered the company's email, support@target.com.

3. The email from notification@facebookmail.com was sent to support@target.com with password reset code and was treated as a support ticket.

4. Since I had an account with notification@facebookmail.com on target.com, I could easily access the password reset link on target.com/support/tickets.

Impact:

The impact is quite clear: if an attacker creates an account on target.com using the email noreply@google.com, and since no email verification is required, all emails sent from Google to support@target.com will be visible to the attacker in their ticket portal as tickets. The attacker can easily access OTPs, reset codes, and other sensitive information.

Please note that this information is provided purely for educational purposes. You are solely responsible for any misuse of any vulnerabilities.