Taking Over Employee Accounts by Managers with Zero Employee Interaction

  1. I logged in with my admin credentials then navigated to Users section.
  2. I clicked on the Employee profile and I noticed that the email input cannot be edited or modified.
  • Apr 28, 2021: I recorded a video PoC and reported the issue to the private program on hackerone.
  • Apr 29, 2021: HackerOne Team Triaged the report and decreased the severity from Critical to Medium.
  • Apr 29, 2021: I asked them to reconsider the severity and to assess the bug according to the company business risk and the impact that can cause on company reputation and business.
  • Mar 3, 2021: Further discussion and debate about the severity between me, HackerOne team and the Program internal team.
  • Mar 25, 2021: Program Internal Team scored it as Medium describing that you have to be an admin/manager in order to take over the other accounts. And they asked me to wait for further investigation about the root cause of this issue before issuing a bounty.
  • July 9, 2021: I asked for update about the issue.
  • July 12, 2021: Team still investigating.
  • July 21, 2021: Internal Team kept the severity as Medium. And awarded me with a total of $600 ($500 bounty + $100 bonus).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder at Cybit Sec | Managing Director at Resecurity®.