Ravindra and I were hunting a target, spent the whole day without finding anything, and then the next day stumbled upon something while exploring the subdomain.

It has a login panel (via phone and email)

When I try to log in with my number, it asks for an OTP.

I always enter a wrong OTP first to see the response.

and in the response the email address linked to the account on main domain is reflected

Vulnerability

Simply enter any valid number to start an OTP verification, then input any OTP, and the email will be shown in the response.

None

It was validated and assigned medium severity.

๐Ÿ‘๐Ÿ‘๐Ÿ‘๐Ÿ‘