BAC = $$$

It was a popular target hunted by many hackers, and there were many assets in scope — enough to make it confusing to know where to start

Rajveer

~2 min read · January 16, 2026 (Updated: January 16, 2026) · Free: Yes

I decided to hunt for privilege escalation, so I began with a site where I can assign roles to invited users.

After spending few hours, I left with only thousands of requests chilling in my burp history

While exploring the application, a feature looks interesting to me

In the policy section, the admin can set restrictions so that only the admin is allowed to view other users' emails

I enabled the feature and checked the UI, and the emails of other users within the organization have disappeared

Next, I checked the API response, and it's doing its job perfectly

but I know there might be another endpoint that could expose the emails, I started exploring chat section but found nothing.

The application has a call feature that allows any user in the organization including non-admins to call other users

While analyzing the requests, I noticed that an endpoint exposes the email

Steps to Reproduce

In the administrator account, go to the settings and configure the policy so that only administrators can view other users' email addresses.
From the user account (non-admin), initiate a voice or video call to any member
Inspect the captured traffic and observe the request POST /_chat/v2/users/<id>/call where the admins or user's email address is exposed by the API.

Timeline:

Dec 8, 2025, → Reported

Dec 19, 2025, → Triaged as Medium Severity

Jan 6, 2026, → Rewarded 💸

Thanks for Reading

👏👏👏👏