Million Users PII Leak Data Leak

Shivbihari Pandey
Nov 18 · 3 min read

Hello Everyone

Hope you are doing good

Today i am going to discuss about the information leak in some popular websites .For Privacy Purpose we will not discuss about company Name.

1: Million of users Medical records and there personal Details Leak due to AWS S3 bucket mis-configuration:

I was testing there websites for an hour and didn’t able to find any High Severity bug,after an hour of reconan dtesting ,i was able to found couple of IDOR and XSS, but i wanted to find some critical issue.

I was about to give up , suddenly i see ,they are using Amazon Cloudfront Service for storing public image && URL look something like this

https://d3ez8in977xyz.cloudfront.net/avatars/009afs8253c47248886d8ba021fd411f.jpg

initially i think its just public data but i try to visit https://d3ez8in977xyz.cloudfront.net , and i found that they storing public images , but after seeing other files i was shocked to see they have stored some personal data publicly like:

video chat, audio calls, text message and some user private files.

well these files have contained conversion between the patient and Doctors.

and different domain have there different storage bucket and so i start finding the other domain image storage location, and each bucket have thousands of data, well i didn’t calculated how many users info stored in it, but after googling the company users , found out they have millions users.

this is the one of bucket Pic :in csv file ,it contain Text Messages between them

Bucket List

So I Quickly reported to them and they resolved it within hour and awarded me $2500 bounty with $500 bonus bounty.

Funny Thing here is that

I have listened some of the audio files and i found one thing common , most of them are about Girlfriend/Boyfriend Issues, and they all crying about how they are suffering with anxiety after he/she dumped him/her ,because they find there partners Cheating . 😄

2: Internal Admin Account Access ,Leak Business Partners Details

So this is Story About blind stored XSS Found in Giant MNC Company, website,by this i was able to get the details of admin account [Access Token and other personal details]and along with, i was able to get there Business Clients details too.

I found Vulnerable point in their form , and these form data is stored in Local admin account.

so instead of simple XSS payload, i used XSSHunter Payload , so whenever my payload executed , it will send data back to me.

PII Data Leak

For this Issue, they awarded me $1250 Bounty

That’s it for Now

If you Love It, Feel Free to ReTweet it.

Rich Guy Can Donate Here 😄

Good Bye..!!


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Shivbihari Pandey

Written by

security researcher

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade