Misconfiguration of Hackster leads All Users Sensitive Information Disclosure.
Hi Hunters,
This is Yeasir Arafat here.Today’s write-up about Sensitive Information Disclosure on Hackster.io .This bugs could trouble millions of Hackster users.
How I was able to reproduce this bug?
OKay, I look forward to create a Hackster.io account using email.After creating a new account for the functionality of this website your account details will be created with a username.And you can find your profile using that username.
e.g,this is my profile Url with username:
https://www.hackster.io/yeasir-arafat
And when I clicked/visit this url my profile will be shown publicly.Here I noticed one thing in burp that, After creating a Hackster account it will produced a user account number also.
e.g,UserId endpoint:
https://hackster.io/users/<userId>
You can find also your account Id via source code or analyzing burp.If you enter your userId after the <user> parameter in header and visit this url you will redirect to your profile.Anyone is able to find my id with this url.

After that I was able to see gmail,username,ip address,postal code from the source without login into my account.Then I repeat changing the userId and search it into browser, BOOM!!
I was able to see similar information any other Hackster user like my own account information.It’s a very simple trick to find sensitive information like other users.
A Hackster user information below.I was able to see his account sensitive without gain any access to his account.

GMAIL: xxxxxx@gmail.com
name : Kurt Bilafer
PostalAddress”, “streetAddress”: “531 Howard street, suite 200”, “addressLocality”: “San Francisco”, “addressRegion”: “CA”, “postalCode”: “94105” , “ip”:xxxxxx
After reporting this issue to Hackster they fixed this issue.
Reported date : 08–06–2017
Fixed date: 08–07–2017
For clearance see the poc video:
Thanks
Bangladeshi Bug Bounty Hunter.
