Hello guys , today I’m gonna share one of my finding on how I was able to delete accounts via support ticket also without any account verification .
So everyone knows about support form or contact us form . But many of them unware about the issue that this can be use as account deletion .
Also my target application support team doesn’t implement any kind of verification that ticket submitted by original user or on-behalf-of original user .
I reported this type of bug on few private programs , few of them confirmed this bug and triaged it .
Lets call this private program redacted.com . Logged into redacted.com and I searched for support chat/ contact-us form at redacted.com . Got a contact us form . Filled out that form and set subject to “Close Account” but email was unchangeable . I quickly intercept the form submit request and change email there and it worked . I submitted Account deletion request on-behalf-of victim .
In next stage , victim will receive direct email of account got closed, no user verification by support team . Once account got closed , victim can’t login or access anything .
11/02/22 – Report submitted .
17/02/22 – Discussion with team
01/03/22 – Provided more PoCs and steps .
03/03/22 – set severity as low and rewarded $$$ .
Thanks for reading my blog . Hope this will help you in your next target .