Hello folks, it’s been a long since I didn’t post an article about my findings, hence I was busy with my personal life.
I am here to share my recent finding on a private bug bounty program. I have got some experience on testing API sites. It’s more fun to play with them.
Let’s say the vulnerable site name is redact.io. The site is using API to fetching the user data from the server as such api.redact.io.
Before targeting on api.redact.io I try to understand how the site API was working. I read the full documentation from docs.redact.io. This is very important to know how your target site is working, you can make a right approach after gathering knowledge about your target.
I came to know that the targeted domain redact.io is fetching user sensitive data using this endpoint https://api.redact.io/service/<userID>. Here the userID is the unique userID of a user of that site.
While I tried to catch the fetching data from the URL without authorization https://api.redact.io/service/<userID> it’s returning me an 404 error,,
Hmm? What next?
It seems the site is working fine, No info leaking. I found a little trick here to exposed user sensitive information such as Email, userId, userName, scope etc.
Replacing the UserName on UserID field disclose the information of a user of redact.io without authorization. The site scope(service) is carrying user information behind the GET request in API.
If you take a look at the UserName you can see it’s the same one above UserId I mentioned.
Basically, this flaw occurs via misconfigured or unsecured API. Which is not configured properly and allows an attacker to steal victims sensitive information.
09-Aug-2018 → Bug Reported
22-Aug-2018 → Bug Fixed
23-Aug-2018 →> Bounty Awarded
Thanks for reading! Yeasir Arafat