Yes. The Program Owner is correct at their place. The issue described in this blog talks about Performing Account Takeover due to weak and guessable cryptography. The alias emails are used for the detection and confirmation of the vulnerability. In my case, I do not need any user interaction or access to the victim's email. In this issue, I can use your email say [email protected] and if your account exists, I can takeover it. I hope you understand it now.