Senstive Information Leak Lead To join any Organisation

Shivbihari Pandey
Nov 4, 2017 · 3 min read

Disclaimer:

The sole purpose of this article is educational and for testing of your own applications. This is not intended for piracy or any other non-legal use.

Description:

This is my first blog,so their may be mistakes but Learning From Mistakes make you Expert.

So story About this issue that, i was testing the

site: XYZ.com [Sorry can’t disclose the Name]

After messing hour , i got an point where data disclosed.

In site You can Follow The User , Organisation ,Tag etc. Etc.

So when-ever You Follow Any User . in response[Usually i Use Browser console]. its simply said:

{“outcome”:”followed”}

Request:

follow any user

Response:

Response when you follow the user

but here you don’t see any thing which make it Sensitive Info.

So i just replay the request [from the chrome console] by opening the Follow request in new tab. in the response it disclose all the information of the user profile.

URL Like https://XYZ.com/follow

Disclosed Information About User:

  1. Email (it may be GitHub Or Twitter Email)
  2. Secret Key
  3. all the profile setting like their notification ,[i didn't test for the Payment section, but i am sure it will disclose the CARD information too]
Email and Secret Key Disclose

but Wait i didn't know what i can do with this secret key. so i try to find the developer section of the site where I can get the information about the secret key[what we can do with this key].

Sadly they Don’t have any.

So i decided to Explore more features of site.

and in Setting Section i find that you can make an Organisation and their you can invite user by sharing the Secret Key.

Organisation member

Here We Go ..Now i know what i can do with that Secret Key.

but wait we have to cross_checked whether disclose Key Matched with Invitation Key.

See their is one more feature in site that , you can Follow the organisation . So From Previous We see that ,When-ever you follow any user ..It will disclose that user Information.

So i try the same And BINGO.!!

Organisation Secret Key

It disclose the Secret Key of the Organisation Too.

So..Without Any Invitation We Able to Join the Organisation.

We Can Change the Organisation Settings,Post any Article , Invite any User to Organization[Off-course We have Secret Key], Delete Org. Too.

Quickly I Contact Them and they patched it within Hour.

That’s It for Now .Hope You Enjoy It.

Happy Hacking :)


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Shivbihari Pandey

Written by

security researcher

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade