How i Found Information Disclosure on

hi, this is my first write up on
11 days ago i found a vulnerability on when i finding an answer of my homework ( I was lazy at that time).

then I made a document and made the document private

In my heart I thought that the download button made me curious, so I decided to intercept before pressing the download button. and I found a Request with the POST method in the url:

Then I will make a document and give a password (make private) the document and try to get access from another account. After that I created a new account and made a CSRF whose contents were more or less like this:


<title> Scribd VUlnerability </ title>


<form action = “" method = “POST”>

<input type = “hidden” name = “id” value = “(ID FILE)” />

<input type = “submit” value = “Submit request” />

</ form>

</ body>

</ html>.

and try to do pentesting.

Bingo! after that I managed to get the password to see the private document. After that I asked whether there was a bug bounty program or not to the IT security scribd. after 11 days (When I wrote this) I immediately reported this bug to the Scribd team so that it could be fixed.

Full Video PoC on my Blog :
My Youtube Channel : 
T-GOX Channel


  • 19 November 2018 16:59 PM = Reported To Scribd Security Team
  • 20 November 2018 01:58 AM = Their team Review my report
  • No response after 4 Days, so i decided to Write Up this issue