Hello guys , today I’m gonna share one of my finding on how I was able to delete accounts via support ticket also without any account verification .

So everyone knows about support form or contact us form . But many of them unware about the issue that this can be use as account deletion .

Also my target application support team doesn’t implement any kind of verification that ticket submitted by original user or on-behalf-of original user .

I reported this type of bug on few private programs , few of them confirmed this bug and triaged it .

Lets call this private program redacted.com . Logged into redacted.com and I searched for support chat/ contact-us form at redacted.com . Got a contact us form . Filled out that form and set subject to “Close Account” but email was unchangeable . I quickly intercept the form submit request and change email there and it worked . I submitted Account deletion request on-behalf-of victim .

In next stage , victim will receive direct email of account got closed, no user verification by support team . Once account got closed , victim can’t login or access anything .

Timeline:

11/02/22 – Report submitted .

17/02/22 – Discussion with team

01/03/22 – Provided more PoCs and steps .

03/03/22 – set severity as low and rewarded $$$ .

Thanks for reading my blog . Hope this will help you in your next target .