Crazy PII leak via API Misconfiguration

Hi everyone, today we’ll look at one of the external penetration tests that I carried out. The vulnerability has already been patched, however due to confidentiality agreements, the vulnerable website will be anonymized (hence, we will use the usual example.com domain).

The test is Black Box with zero information being provided from the customer. The only thing we know is that we are allowed to test example.com and any subdomain (*.example.com).

Paywall blocking you? Here is a friend link…