1500$ bounty: how unprotected directory leaked sensitive info

g4ll4is

I found this bug almost by accident. It wasn’t a program I knew or spent more time with but around New Year’s Eve I found a pre account takeover vulnerability on it (similar to this one) and it turned out to be a duplicate:(

So I was just looking around for some low hanging fruits and I noticed an interesting photo url. The format was something like:

https://program.com/photos/111/222.jpg

So it drew my attention for two reasons:

the image id seems iterablethere is no token or key protecting this asset

But it was a public subdomain with some educational stuff and it could just be public. I iterated by several ids manually and I found immediately some photos that looked more private than the ones in public articles. It also appeared that there is a lot of images in the folder.

I was ready to give up but a friend of mine iterated through more photos and we developed some theories. The data seemed to be connected with different feature which definitely shouldn’t be public. Also we discovered there are several similar collections and they all seem to have protection. I found the one that was left behind. It also seemed to store all the images from this service.

I reported the bug and it was immediately confirmed and after a while it was fixed.

The lessons from this vulnerability

Iterated ids in this kind of storage is not a good idea; in case of a fuckup at least the random ids would give some protectionStorages for public and sensitive assets should be separated; they require different type of protectionsIf possible, access to the private images should require login. If not possible (external storage), it should be protected with token or keySome monitoring system could be added to have visibility over the endpoints and detect cases of attackers iterating through thousands of photos

Bonus:

If you develop an application with chat or some sharing capability — be sure users are aware of the risk. If they regularly put sensitive assets in the chat, it’s definitely the product’s responsibility to protect their privacy and security.