Getting access to 25000 employees details
I want to share one of my findings in a private program on HackerOne, which was — critical but straightforward one. During testing for that private program. I found an endpoint for the Internal team management.
After opening the endpoint (refer the Image above), the only thing running in my mind was “How about I check the directories.” Thus, I immediately utilized Dirsearch to brute force all the directories.
Here is the exciting output.
It’s https://37.--.--.--/register :P
Upon opening the URL.
Yuss!!!! Registration page. 😮 anddd….
I tried to register with my details. And.. there was a configuration error. I was like…
I decided to register one more time with the same email and ended up with an error i.e.
“The email is already registered.”
okay, let’s go and log in.
So, I tried to log in with my registered credentials anddd…..
Successfully Logged in….
Admin management page.
Typical employee details pages
Disclosed details include Name, Email, Phone-No, Employee ID, Shifts, Reports, Salaries etc.
Sorry, but I needed to hide some details due to confidentiality issues. Some other critical data was disclosing too but don’t have permission to write further.
After verifying the issue, I quickly submitted the detailed report to the program via HackerOne. They validated and fixed the problem within a few hours.
They permanently fixed the issue by removing the public registration page from the endpoint.
After reporting the issue, I applied dirsearch on most of the critical endpoints belongs to them however no more endpoint was vulnerable to the same problem.
Report Submitted: 25–10–2017
Report Triaged: 25–10–2017
Initial 1300$ Awarded: 25–10–2017
Report closed as Resolved: 25–10–2017
Final 1200$ Awarded: 26–10–2017
As many people messaging me and asking how I found this Asset/Internal team management endpoint. I am providing info about it here,
I found this endpoint using Github issues conversations.
My recon process.
Sublister,knockpy,dnsresolver,dirsearch,bucket finder,massdns etc.
After reporting some low hanging issues, I go out and follow engineering/Security teams on Twitter and Github & look for anything interesting
I go through all the issues/Repositories companies engineering team created publicly on Github.
I read all blog posts by engineering and security team.
I check their DNS every month. Generally, companies stopped using a service and forgot to delete CNAMES pointing to service.
I use their services as the user and continue my recon processes,
I also use Burp Suite pro history tool to find exciting endpoints.
According to me, Recon is not a one time process it’s a continuous process.