138
this post was submitted on 02 May 2024
138 points (98.6% liked)
Programming
22392 readers
47 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Struggling to figure out what the heck they did. Some kind of injection attack to send the email to an arbitrary account? How would you even mess that up in the first place
It was leveraged as part of an auto responding email function as part of a ticket that, when used as a secondary email address, allowed a password reset chit to be viewed and then used to change the password on the account.
I remember this one.
But it was fixed months ago. We patch nightly because enterprise software lets you roll back easily.
If I had to guess I'd say the email address was sent as part of the request and not verified.