Exposing a Data Leak Vulnerability: My Journey to Discovery

TLDR; Discovered a critical data leak vulnerability in a financial/investment platform, reported it, and received an appreciation letter from their CTO. The issue was resolved quickly, and I’m sharing my experience months later.

The Discovery
A critical vulnerability in a prominent financial and investment company exposed sensitive customer information — such as names, mobile numbers, folio numbers, addresses, and investment summaries — that was accessible without login credentials.

While exploring the dark web, I conducted a simple dork search using the query: site:invest.example.com inurl:GetInvSummary (name). By replacing ‘name’ with any individual’s name, I was able to access sensitive information related to that person, revealing the alarming vulnerability. To verify my findings, I used an incognito browser window on the surface web, confirming that no login was required.

Reporting the Vulnerability
Lacking a formal bug bounty program or a dedicated disclosure channel, I decided to reach out to the company via Twitter DM. They acknowledged the gap in their security and provided me with an email address for reporting vulnerabilities. They also promised an appreciation letter signed by their CTO as recognition for my efforts.

I compiled a comprehensive report, complete with screenshots and evidence, and emailed it to the designated address. The company quickly confirmed the vulnerability’s existence, attributed it to a programming bug, and assured me of a prompt resolution.

Resolution
Within days, the company fixed the bug and expressed gratitude for my responsible actions. They honored their promise by sending an appreciation letter signed by their CTO, which was a meaningful acknowledgment of my efforts.

Conclusion
This experience highlights the critical nature of responsible disclosure in cybersecurity. It’s essential for organizations to have clear channels for reporting vulnerabilities and to recognize the efforts of those who help safeguard user data.

Feel free to provide feedback, comment, clap, or even DM me on my social media accounts.

Thanks for reading!! Happy Hacking!! 🤗🤗

Support me if you like my work! on PayPal and follow me on Twitter/X and Instagram.