Hi!
We just tested an bug/flaw that shouldnt be possible and im not sure its even an issue if you dont have backend access.
Problem: We have a user that didnt have access to his mail account and didn´t have password at the moment but he really needed a mail and called us for help, we validated that it was a legit user and request. He just wanted us to access the account without changing the password so he could get the code that was in his mail.
Solution/Bug:
1) We changed his email address from lets say account@mailsystem.com to account1@mailsystem.com
2) We created a new account that was named account@mailsystem.com set a password we know.
3) in incognito/private login on webmail and ofcourse it was an empty new mail account.
4) Still having the webmail of account@mailsystem.com open we did delete the newly created account on backend and changed account1@mailsystem.com back to account@mailsystem.com.
5) Refreshed the incognito/private windows and all the user email showed up.
This is absolutely a way to access accounts in “shadowmode” and with privacy thinking in place i dont really think it should be possible so a fix for this should be in place.