How I used a company email to send emails(a p3 severity bug).

Hello everyone I’m Jan Jeffrie Salloman, a newbie in bug bounty. I started bug hunting 4 months ago and this is a writeup of an interesting bug that I found without using any tool like burp suite. Before I start, want to say sorry for my english and please correct me if there are wrong grammars on my writeup haha! I hope you will learn new from this writeup.

This site is private so I will use redacted.com as an example. This site is an ecommerce like shopify so there were many functionalities. Every user can sign up or log in to sub.redacted.com and on that subdomain you can manage your online store. There’s a functionality where you can create invoices for your customers and you can create your own design for your invoices. So I created an invoice and clicked the invoice that I created. I tested XSS on inputs when creating the invoice but got no luck. After trying XSS, I’m observing some functions that I can do on the invoice I made. There are functions like duplicate invoice, print and send invoice to. Nothing special right? But after clicking send invoice to, I noticed that there are inputs like To:, From: and Content:. Guess what? The From: input caught my eye.

I was thinking, can I use emails that is not mine and put it in the From: input? So I tested a random email but it didn’t arrive in my email inbox. Maybe I can only use my email so I used my own email that I used on my account and it was sent to my inbox. After that, I lost hope because I can only use my own email not other emails. After a while I thought of using the emails from redacted.com. I used the support email of the redacted.com which is support@redacted.com and it arrived in my inbox and the email was from support@redacted.com.

That’s the story of the bug that I found without using any tool. Don’t lose hope and always think out of the box. I hope you enjoyed reading my writeup!