Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAkashhamal0x01H1:1634165
HistoryJul 12, 2022 - 7:31 a.m.

Stripe: Mass account takeover!

2022-07-1207:31:58
akashhamal0x01
hackerone.com
13
JSON

@akashhamal0x01 discovered an Organization Owner could update the email address of a member of their organization in TaxJar. This could have allowed an attacker to take over a victim’s account if the victim belonged to the attacker’s organization. The vulnerability was caused by the ability to edit another member’s email address and was resolved by restricting Organization Owners from editing a member’s email address.
A misconfiguration was found by which other users mail can be changed resulting in account takeover!

JSON