The sole purpose of this article is educational and for testing of your own applications. This is not intended for piracy or any other non-legal use.
This is my first blog,so their may be mistakes but Learning From Mistakes make you Expert.
So story About this issue that, i was testing the
site: XYZ.com [Sorry can’t disclose the Name]
After messing hour , i got an point where data disclosed.
In site You can Follow The User , Organisation ,Tag etc. Etc.
So when-ever You Follow Any User . in response[Usually i Use Browser console]. its simply said:
but here you don’t see any thing which make it Sensitive Info.
So i just replay the request [from the chrome console] by opening the Follow request in new tab. in the response it disclose all the information of the user profile.
URL Like https://XYZ.com/follow
Disclosed Information About User:
- Email (it may be GitHub Or Twitter Email)
- Secret Key
- all the profile setting like their notification ,[i didn't test for the Payment section, but i am sure it will disclose the CARD information too]
but Wait i didn't know what i can do with this secret key. so i try to find the developer section of the site where I can get the information about the secret key[what we can do with this key].
Sadly they Don’t have any.
So i decided to Explore more features of site.
and in Setting Section i find that you can make an Organisation and their you can invite user by sharing the Secret Key.
Here We Go ..Now i know what i can do with that Secret Key.
but wait we have to cross_checked whether disclose Key Matched with Invitation Key.
See their is one more feature in site that , you can Follow the organisation . So From Previous We see that ,When-ever you follow any user ..It will disclose that user Information.
So i try the same And BINGO.!!
It disclose the Secret Key of the Organisation Too.
So..Without Any Invitation We Able to Join the Organisation.
We Can Change the Organisation Settings,Post any Article , Invite any User to Organization[Off-course We have Secret Key], Delete Org. Too.
Quickly I Contact Them and they patched it within Hour.
That’s It for Now .Hope You Enjoy It.
Happy Hacking :)