- Let's say victim's email is [email protected]. Create an account which looks similar to victim's email (for example, [email protected]). Use fake mailer and send a request to [email protected] and ask them to change your email id from [email protected] to [email protected]
From: [email protected]
Reply To: [email protected]
To: [email protected]
Subject: Change my E-mail address
Message:
Hello,
My real email address is [email protected]. I mistakenly entered wrong email id ([email protected]) which I don't use anymore. So I kindly request you to change my email address from [email protected] to [email protected].
Thanks & Regards
Victim
P.S: This is not a social engineering attack. Their mail box is not filtering spoofed emails properly. That's why the vulnerability exists. Modify the message as per your choice.
- Try to create an account using @target.com email address and check if you have any higher priviledge (like viewing others support ticket).
- Ticket Trick:
3.1. Generate a support ticket from [email protected]. You'll receive an email from [email protected]. Try to email something from [email protected] to [email protected]. If you can see the email at [email protected] or if you can see the email at the support portal then it's possibly vulnerable. Now use the email [email protected] in different workspaces (like slack, yammer etc) to login to their private workspace.
3.2. You can create tickets by sending an email to [email protected] + you can view the tickets created by you in their support portal → most support portals can be integrated with SSO (authenticated users will automatically be logged into the support desk). Sometimes application doesn't enforce e-mail verification (or maybe you can bypass it) which allows to sign up with any e-mail address and read any tickets created by that e-mail address. So in these cases, you can takeover their 3rd party accounts like twitter, GitHub, Instagram etc (if created using the email address [email protected]). For example, in case of twitter, they send their password reset emails from [email protected]. So you can follow the below steps:
1. Create an account on target.com with [email protected] (Since they doesn't enforce email verification).
2. Now request for a password reset for the email [email protected].
3. An email will be sent from [email protected] to [email protected] which contains the code.
4. A ticket will be created which consists of the email body and you can view the ticket on their support portal.
Reference: