HackerOne: Edit Auto Response Messages

2016-03-14T17:11:26
ID H1:123027
Type hackerone
Reporter rohk
Modified 2016-03-15T03:01:18

Description

Not completely sure if this is by design due to encountering it for the first time.

When a company has auto response turned on, the reporter can change the contents of the message without any problems. The reporter should not be able to change the contents of the companies auto response in any way due to the fact that they should not have privileges to that feature.

PoC: Users can abuse this by changing the contents of the auto response to something else.