Slack: Team admin can add billing contacts

ID H1:47940
Type hackerone
Reporter satishb3
Modified 2015-04-03T00:45:03


Billing contacts can only be added by team owners. However, team admin can escalate his privileges and add billing contacts.

Steps to reproduce: 1.Log in as team admin 2.Send the below request using his token and it adds '' to billing contacts.

POST /api/team.billing.addContact HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 106

To confirm, login as team owner and navigate to billing contacts. Notice that is added to billing contact list.