DUPLICATE BUT STILL COOL

TL;DR, From low impact to account takeover to duplicate here is the story of a cool bug i found on a private program at HackerOne.

The company redacted.com provided CRM services to users, a user can signup as an organization then invite team members with either admin role or basic user role. The invitation process seemed ok at first everything was being checked perfectly the invitation link had 32 bytes alphanumeric token (NO WAY OF BRUTEFORCING THAT), csrf token checked properly it was all good until i found the first bug

IDOR on resend invitation

An admin has the ability to view pending invitation and he could also resend invitations, it seems fine the post request was as follows

POST /invitations/363484/resend HTTP/1.1
Host: bugbounty.redacted.com
Authorization: Bearer base64 token
The JSON response contained the email {“status”:”success”,”email”:”email@example.com”}

The problem was if you change the invitation id you could actually see sent invitations by other companies registered to redacted.com. After creating multiple invites i noticed that the invitation id increments, this also confirmed that there no need to brute force simply use intruder and increment/decrement the id to disclose invited emails of other companies.
This by itself is not that important because we cant see any important information in the response except the email.

Chaining the first bug with a design flaw

Now The real fun started, i grabbed the email reflected in the response, then went on to register an account on redacted.com.
After sign up i got redirected to an html page where it said

Company X has invited you to join them, please use the link in the e-mail.
Click on resend invitation to receive the email again

Copied the resend invitation link on that page it looked something like

https://www.redacted.com/resend_invitation/TOKEN

Went over to check my email it had the same link except that instead of resend_invitation they used join so the link was like

https://www.redacted.com/join/TOKEN

So i went back to the tab replaced resend_invitation with join and boom! i got in. An attacker could takeover arbitrary accounts with this vulnerability simply by leveraging the first IDOR, and signup every email that gets reflected back in the json respone.

This was a duplicate report but it was a cool one. 
To the original reporter if you are reading this then well done ;)

Till next time,
Happy hunting everyone,

Plenum