Ahmad Yussef
2 min readNov 27, 2024

How I abled to Disclosure all emails,full name,username, that lead to users/admins PII Disclosure. And invite any users/admins to any run without knowing his email address.

بسم الله الرحمن الرحيم

Aslam alikam, in this write-up I will show you easy bug that I found on my target was lead to earn $$$$ good bounty.

Who don’t know me, my name is Ahmad Yousef in community know as a7madn1, I make write-ups for security vulnerabilities that I found On Bug Bounty Program on my telegram channel t.me/a7madn1

Summary:

Let say the target is domain.com

I found Insecure Direct Object References (IDOR) on app.domain.com This happens when an attacker creates a scheduled_runs,And send request to burp suite in order to manipulate the scheduled_run[user_ids][]
parameter To victim-scheduled_run[user_ids][]

  • What is Run: This function is for what you want manage on your workflow.
  • What is scheduled: this function was inside Run, In order to automated your Run.
    Example: you have Run and it have many things you must doing, via schedule function, you can make a time when you want the run be executed.

Note:

When you want invite any one to your Run, you must have his email.

But I bypassed this, and I was abled to invite any users to my Run without knowing his email.

(I was abled to create and control victims-profile schedule , I will make write-up for this later InShaAlla).

Step To Reproduce:

  1. Go to https://domain.com/scheduled_runs
  2. Click on Recurring Run ,You will be redirect to https://domain.com/scheduled_runs/new
  3. Open Burp suite tool.
  4. Add random (Time of day you want the run be executed).
  5. When click Save Intercept the request to Burp suite.
  6. The request will contain this parameters:

authenticity_token=&scheduled_run[run_at]=6Am&scheduled_run[user_ids[]=&scheduled_run[started_at]=&scheduled_run[active]=0&commit=Save

Replace scheduled_run[user_ids][] parameter To victim scheduled_run[user_ids][]

Conclusion:

In this bug I abled to get

  1. Users/Admins PII Disclosure.
  2. Invite any user to my Run, without knowing his email

Thanks for reading I hope you enjoyed.

Join my Telegram channel for bug bounty tips:

t.me/a7madn1
LinkedIn:

https://www.linkedin.com/in/ahmad-yussef-12b5a7262

Twitter(x):

https://x.com/a7mad__n1

Facebook:

https://www.facebook.com/a7madn11?mibextid=ZbWKwL

#bugbountytips #cybersecurity #bugs #Idor #hacking #hackerone

Ahmad Yussef
Ahmad Yussef

Responses (1)