Hi long times no see.I have 13 triaged report to write.I think it delay due to covid 19.Today i want to share how i found bug at 8x8.
I use shodan.io to search some service.
Dork : hostname:8x8.com
and i found one InfluxDB service.I googling for InfluxDB.
Authentication - influxdb.com
The InfluxDB HTTP API includes simple, built-in authentication based on user credentials. When authentication is…
Authentication is disabled by default. All HTTP requests are executed when authentication is disabled.
I found this thread.InfluxDB’s auth is disable by default.So i try to send some query using curl.
curl -G "http://redact:8086/query" --data-urlencode 'q=show databases'
I got all databases list.
curl -G "http://redact:8086/query" --data-urlencode 'q=show users'
I got users list.
I report to 8x8 via hackerone.8x8 accepted my report and now resolved.
Thank for reading .See you in next bug and stay at home.