Account Takeover in $Million Company?

Hi, I am Godson

TL;DR

The Story Of Account Takeover in Fastmail Company : \

What is Fastmail?

Bug: Account Takeover

User Interaction Required : False (May be True?)

Lets Go,

The Flow of the Application:

After Entering the email,

Hmm, There is a skip Button. I clicked the Skip button.

Yes, Application Allowed me to change my password without any verification!

Look Closer to that Image!

WTF?

Mind Voice:

Heckur Mode ON!

User-Agent
User-Agent Replaced!
WoW

WoW, It Works

I report the Bug,

Response :

What? May is not a Bug? (May be Not a Secure Design I think?)

Again I Replied:

Then the Response :

What?

Hi. You said that, this is not a bug, but now this bug is fixed. What you are going to tell for this activity?

Response:

Hmm. I am Just Broken

Any Way, Share Your Thoughts in comments in comment Box.

Full PoC : https://www.youtube.com/watch?v=mscPpYyWcDA

Lets Connect:

Hi, I am Godson | Security Researcher | Backend Dev | CTFer