How Misconfigured API leaked user private information?

Yeasir Arafat
Oct 26, 2018 · 2 min read

Hello folks, it’s been a long since I didn’t post an article about my findings, hence I was busy with my personal life.

I am here to share my recent finding on a private bug bounty program. I have got some experience on testing API sites. It’s more fun to play with them.

Let’s say the vulnerable site name is The site is using API to fetching the user data from the server as such

Before targeting on I try to understand how the site API was working. I read the full documentation from This is very important to know how your target site is working, you can make a right approach after gathering knowledge about your target.

Image for post
Image for post

I came to know that the targeted domain is fetching user sensitive data using this endpoint<userID>. Here the userID is the unique userID of a user of that site.

While I tried to catch the fetching data from the URL without authorization<userID> it’s returning me an 404 error,,

Image for post
Image for post

Hmm? What next?

It seems the site is working fine, No info leaking. I found a little trick here to exposed user sensitive information such as Email, userId, userName, scope etc.

Replacing the UserName on UserID field disclose the information of a user of without authorization. The site scope(service) is carrying user information behind the GET request in API.

Image for post
Image for post

If you take a look at the UserName you can see it’s the same one above UserId I mentioned.

Basically, this flaw occurs via misconfigured or unsecured API. Which is not configured properly and allows an attacker to steal victims sensitive information.

09-Aug-2018 → Bug Reported

22-Aug-2018 → Bug Fixed

23-Aug-2018 →> Bounty Awarded

Thanks for reading! Yeasir Arafat

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store