How I Took Over User Accounts Using Just Their Slack Member ID

Dishebh Bhayana — Sat, 19 Jul 2025 18:56:39 +0000

🔐 TL;DR – Slack Integration Account Takeover Vulnerability

I discovered a critical vulnerability in a SaaS tool's Slack integration that allowed full account takeover using just a Slack Member ID.

Exploit Chain:

Convert Slack Member ID → Internal User ID

Use Internal ID → Fetch Session Token

Use Session Token → Get Bearer Tokens (access, refresh, id)

This gave unauthorized access to any user’s account. I responsibly disclosed it to the team, and they acknowledged and patched it promptly.

Discovery

While exploring the Slack integration of a SaaS tool, I noticed something odd: I was able to get the access token for any user by just using their slack user id.

In short, I could:

Convert any Slack Member ID into the internal user ID

Use that ID to fetch an authentication session token

Exchange the session token for full bearer tokens

With those, I had complete account takeover capability.

The Exploit Chain

Step 1 – Convert Slack Member ID to Internal User ID
An API accepted a Slack Member ID and returned the associated internal user identifier.

Step 2 – Use Internal ID to Fetch Session Token
A second endpoint accepted the internal user ID and returned a session token.

Step 3 – Use Session Token to Get Full Authentication Tokens
The final endpoint accepted the session token and returned a complete set of bearer tokens: access_token, refresh_token, and id_token.

This allowed me to take over any user’s account — view data, modify records, impersonate actions — all without their knowledge or consent.

Responsible Disclosure

I reported the issue privately to the team via email, along with a proof-of-concept video and clear reproduction steps. They acknowledged the issue promptly and patched it within days. I appreciated their transparent communication and quick resolution.

Email-First Medical Reporting for Rural Communities

Dishebh Bhayana — Fri, 06 Jun 2025 14:09:37 +0000

This is a submission for the Postmark Challenge: Inbox Innovators.

What I Built

I built a Rural Health Triage & Monitoring Dashboard that turns simple email messages into structured, actionable medical records — all powered by Postmark's inbound email stream.

The core idea was to create a lightweight and accessible health reporting system for people in rural or underserved areas, where smartphone apps or internet connectivity may be limited — but basic email access still exists.

Here’s how it works:

Health workers or individuals send an email describing their symptoms and location to a designated email address.
That email is captured via Postmark’s inbound webhooks, and a Node.js backend parses the request.
The system analyzes the body of the email to extract symptom keywords and location data.
An automated follow-up email is sent using Postmark’s transactional stream, providing:
- A list of possible symptoms (based on keyword matching)
- First-aid guidance and health tips
- A list of nearby medical facilities (if any are found via OpenStreetMap)
- Important disclaimers to encourage professional consultation
The email is also stored in the system and displayed on a React-based dashboard that health administrators can access.

On the dashboard:

Every medical email is logged as a clickable row in a records table.
Clicking a record reveals full details: patient name (parsed from the email, if available), contact, symptoms, timestamp, reported location, and interaction history.
Admins can assign cases to available healthcare workers using a dropdown menu.
There’s also a secondary table that shows responders — people who have been assigned to past or current cases.
The entire system is built with simplicity and usability in mind. No logins for reporters, no apps to install — just send an email, and the backend + Postmark handles the rest.

This project aims to bridge a real-world gap — using something as basic as email to connect patients and caregivers in low-connectivity regions.

Demo

Video Link:

UI Dashboard link: https://postmark-rural-health-frontend.vercel.app/

🧪 How to Test:
Please use dummy name, disposable email, and dummy email address to test, since the information will be visible on the UI. Emails will still be masked (see the screenshots below for reference)

Send an email to: 694a9f34c5ea169b9bd9c053d783abc0@inbound.postmarkapp.com

Example email format:

Subject: Urgent help needed!
Body:
Feeling nausea from morning, having stomach ache, and pain in muscles. Please help. I live at 121 Worcester Road Framingham MA 01701.

While typing out the address, please try to avoid comma, as openstreet map sometimes doesn't parse the address correctly.

You'll receive an automated response with symptom-specific health tips.

The request will appear in the dashboard for medical volunteers to triage and track.

Code Repository

The project is open-source and available on GitHub:
🔗 https://github.com/Dishebh/postmark-rural-health

How I Built It

The system is built around three core components:

Email ingestion backend
Automated response system
Triage dashboard UI all stitched together with Supabase as the central data hub.

🧰 Tech Stack

⚙️ Backend: Node.js + Express
📬 Email Inbound/Outbound: Postmark (Inbound Webhooks + Transactional Stream)
🗄️ Database: Supabase (PostgreSQL with Auth + RLS)
💻 Frontend: React
🗺️ Geolocation: OpenStreetMap + Haversine Formula

📩 Email Intake & Parsing

Users (typically field workers or patients) send an email to a Postmark inbound address.
The Node.js backend parses:
- 📌 Symptoms using keyword extraction from the body.
- 📍 Location using pattern recognition from free-form address text.
Parsed data is inserted into the medical_reports Supabase table for tracking.

Patient sending email:

Patient received auto-generated email:

🧭 Location Processing & Facility Detection

The backend uses a geocoding API to get coordinates from the raw address.
Hospitals/clinics are fetched from OpenStreetMap.
📐 Using the Haversine formula, the system calculates distances between patient and facility.
🏥 The three nearest hospitals are selected and embedded in the auto-reply, along with clickable OSM links like:
- In the above screenshots, the patient received the locations of nearby hospitals using openstreet map. For example - https://www.openstreetmap.org/?mlat=50.8479749&mlon=-0.7799448&zoom=17&query=Nuffield%20Health%20Chichester%20Hospital

📬 Auto-Reply System

Once the report is processed, the user gets a personalized health advisory via Postmark’s transactional stream.
Email includes:
- ✅ Detected symptoms
- 🩺 Immediate care tips
- 🏥 Nearest medical facilities
- ⚠️ Disclaimers about seeking urgent care if needed
All outbound emails are logged in an auto_reply_emails table for reference.

Patient received auto-generated email:

🧑‍⚕️ Triage Dashboard UI

Frontend is built in React with a clean, table-driven interface.
Displays all reports with sortable and clickable rows.
On click, a side-drawer shows:
- 👤 Name
- 📧 Email
- 📝 Symptoms
- 📍 Location
- 🕒 Timestamp
- 📚 Interaction timeline
A dropdown lets admins assign a responder (stored in the responders table) to each report.

Table to show patient details received via their email:

Please note that in above table, we also show an exclamation icon corresponding to patients that might require urgent help

Clicking on the patient opens up the details drawer:

We can see the auto-generated email for the patient in the UI:

Responders table to create/manage a responder:

🗃️ Supabase Schema

medical_reports – Stores incoming parsed email data
responders – Contains healthcare volunteers/admin users
auto_reply_emails – Tracks the response messages sent out

🐞 Challenges Faced

🚫 Basic INSERT/UPDATE calls were silently failing — no server-side errors.
💡 After hours of debugging, it turned out that Row-Level Security (RLS) was the culprit.
🛡️ Fixed it by creating explicit policies for insert/update/delete tied to my service role — and then it all clicked.

DEV Community: Dishebh Bhayana