User's email disclosure via invalid password reset link [$250]

Today, i got bug bounty from hackerone private program and i want to share bug process.

I reset account password from subdomain https://auth.reacted.com. I got password reset link via email.

https://auth.reacted.com/account/password-reset?userid=1234&key=abcdef

Password reset link has two parameter. userid and key.I change key as wrong random key.I got error message

"The password reset link was invalid, possibly because it has already been used. Please request a new password reset"

I check all request and response. I notice one response that is occur in

https://auth.reacted.com/account/password-reset/confirm

In json response include email parameter and email address

{"valid":false,"email":"godofdarkness_msf@gmail.com"}

Nice.I try to change userid

https://auth.reacted.com/account/password-reset?userid=1&key=abcdef

https://auth.reacted.com/account/password-reset?userid=2&key=abcdef

WTF. I got email address of userid in json error response.

I report to hackerone private program.They award me $250.

See you in next bounty.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store