Critical Finding on TP-Link service or how I got 0$

As a dedicated security researcher, I often devote my spare time to exploring the world of bug bounty programs. While traditional platforms offer valuable opportunities, I also extend my investigations to public systems of popular vendors.

Recently, I made a discovery on a TP-Link subdomain that exposed highly sensitive user information that included plaintext passwords. Unlike some articles that begin with stories of substantial bounties, my story showcases the reality that sometimes all you receive is a simple “Thank you” instead of a monetary reward.

Nonetheless, I am pleased that the security measures have been taken, and this flaw has been rectified. Consequently, I am grateful for the opportunity to share my findings through this article.

The issue was reported to TP-Link. Proper security measures were taken before the publication. All information below has been appropriately censored to uphold confidentiality and maintain ethical standards.

I began the journey by registering on the TP-Link subdomain, related to business customer service and was expecting a seamless registration process.

However, upon completing the registration, a message appeared indicating that accounts undergo manual review before being approved.

And was true, logging in with freshly created account was impossible:

To explore further, I decided trying to bypass the account verification stage.

By visiting the “forgot password” page and entering the registered email address I requested a password.

The email with a new temporary password was received:

Using the provided temporary password for login, I was directed to the profile edit page to set a new password.

This process successfully bypassed the manual approval step, highlighting a vulnerability. I was inside.

After gaining access to the account, I began inspecting the API calls made by the application. It was discovered that the API request for retrieving profile information included the plaintext password, which itself posed a security risk.
However, I noticed that the profile information was requested by a user ID, which appeared to be an iterator.

I attempted to manipulate the user ID. By substituting different numbers in the API request, a critical flaw was exposed — the ability to access any user info, including admin user’s credentials. It was an IDOR.

IDOR (Insecure Direct Object Reference) vulnerability is a security flaw that occurs when an application allows direct access to internal objects or resources without proper authorization, enabling attackers to manipulate or access unauthorized data.

So it means that by running a simple intruder attack a malicious actor may download all user profiles along with their passwords. This vulnerability posed a severe threat to the privacy and security of users’ information. Morover, risks are very high because this is an active resource, that is used by TP-Link business customers.

Following the discovery of the critical security vulnerabilities on the TP-Link subdomain, I promptly reported the issue to TP-Link support. I am pleased to report that they acknowledged the seriousness of the matter and took immediate action to address the vulnerabilities.

Through their response, TP-Link demonstrated their commitment to ensuring the security and privacy of their users. I conducted a quick test to verify the effectiveness of the implemented security measures, and it seemed that the necessary steps have been taken to protect user information.

While this particular investigation did not result in a monetary reward, the satisfaction of knowing that I have contributed to making the digital world a bit more secure is invaluable.