Hi
I have found a vulnerability in your website using which i can trick the victim into using a specific email address to login in into the website and him thinking that he is using his own email address and continuing the session and then later we can take back the account and check what are the chats he made
UNDER SOME CIRCUMSTANCES
HOW TO REPRODUCE:-
scenarios - a team admin sends you and the victim a joining link to his team.
it looks like this:-
https://hackerone.cloud.mattermost.com/signup_user_complete/?d={“display_name”:“\u003ch1\u003ea”,“email”:“██████████”,“name”:“main”}&t=cqtkyznxn8e43yagt9fjcsrc4nh6yoqq914in3zg4ykj1jkjbc9bippckjikj4cw
now we can see that there is an Email value and a token value. here the email value doesn’t matter because even if we change it . you will be login as the
email to which the link was send. the token is assigned according to a particular email value
but interesting thing happens when we remove the email value and keep it blank (REFER TO THIS EMAIL)
IF we go to the first link it asks us for name and password
BUT if we go to the second link it ask’s for username password and email(HERE things get interesting)
even if we give a different email address to it . you will be signed as the attacker email id and the you can continue the session thinking that its your own email id you are using
the attacker can use his own invite link and then remove the email value from it and send it to the victim. when the victim clicks he sees 3 fields he give his own email id password and username and continue the session when done he log’s out then the attacker can use forget password to take back his account and look through all of his private messages
STEPS TO REPRODUCE :-
NOW I HAVE RATED IT HIGH BECAUSE USING THIS WE CAN SEE ALL THE CONVERSATION’S HE DID FOR A PARTICULAR SESSION
I WILL ATTACH THE POC BELOW