How signing up for an account with an @company.com email can have unexpected results

Something so simple can have unexpected results. It was a late evening and I was fed up of looking at Burp so I decided to just try some things manually on random programs. The result? I ended up with a P1 :)

The site was pretty simple as it was similar to an appstore and users could sign up and claim they were apart of the organisation or create new their own. When setting up a new organisation you were required to enter a valid phone number and whoever created it first was the root owner. When a new user attempted to join an organisation, a unique code was sent to the organisation’s phone number which is then used as the 2FA code. So ultimately the root owner had the final say on who can join. Pretty straight forward, right?

I really didn’t fancy social enigneering a phone company to take over that mobile number. tip: don’t rely on 2fa via sms

As every researcher will know, sometimes you think of random things to try. I don’t know why but I just randomly thought, “This site doesn’t require us to verify our account/email, so what would happen if our account email is *@organisation.com?”. 2 minutes later, armed with a sean@organisation.com account, I clicked “Claim”. This time I was presented with a different screen:

Interesting, this is new! So according to this, all I need to do is press “submit”, check my email and then verify I own that email (presuming by clicking a link). The problem is, I don’t own this email, therefore I can’t click the special link. Hmm.

I sat and stared at the screen and suddenly thought, “I wonder what will happen if we change our account email to one we control BEFORE pressing the submit button?” — So I did just that. With the email changed in my account settings, and the “Submit” button sitting there waiting to be pressed, I went for it.

It worked! Soon my phone lights up and i’ve received an email: “Please verify your identity and confirm your membership of zseano test by clicking the following link”. Things however weren’t working as planned just yet. I clicked the link to verify my ownership but i’m presented with an error: “Sorry, this email cannot signup with this organisation!”.

Then it hits me: I need to change my email BACK to sean@organisation.com before clicking the link.

We’re in! :) Now I can automate this process and join any organisation I wish. 
(Sadly no screenshot on what you can do when you’re in, too much private information to hide that there won’t be much else to see..)

tdlr:

  • Signup using *@organisation.com email
  • Click “Claim” on organisation.
  • Change email to one we control & press submit.
  • Change email back to *@organisation.com and click link.
  • We’re in! :)

A similar method was found by @securinti which enabled him to access internal communications on some companies via their helpdesk.

When was the last time you signed up with an @company.com email and started poking? :)

(note: I made these screenshots to hide the identity of the program.)

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.