.png)
1 week ago
23 BOOK THIS SPACE FOR AD
ARTICLE AD
Let’s get into the story directly
Me And My Friend Abdelrahman Shazly Where Hunting on www.examplex.com
we didn’t find anything interesting until my friend found a POST REQUEST To A Third Party After Submitting His E-Mail To A Third-Party Service Called:- braze it’s a marketing service used to send newsletters to the subscribed customers you can visit the link above to know more about it their API.
After Submitting The First Request with your email you will notice there’s an Authorization Token we got from examplex.com Submitted With our Request :D
After Going to API-Documentation of Braze We Found Out There are Some Interesting endpoints and some interesting fields in the body of our first request
notice here it gives us the entire data about our email like Firstname and Lastname and when the account was created so if I’m already sending requests to www.examplex.com/braze/users/export/ids and calling of braze API what about trying all braze endpoints and sure I did some juicy ones worked like :D
here we got an old email from a friend to find out if we were authorized to access his data or not and yeah as you can see :D.
So We Tried to find some Juicy Endpoints to play around with like this one it gives us the hard bounce mails with “start_date” and “end_date” and “limit” parameters
As you can see here The Juicy Stuff We Got :D
After Searching more on Endpoints on Braze We Found This Endpoint To Extract Segments IDs and we will use them on something more interesting.
we found another endpoint that uses the segment IDs to extract all users’ data and save them on S3 Bucket.
The Response We Got
you notice there’s a .ZIP file we got in response which means we extracted all users’ data and exported them to their S3 Bucket
but when u visit the URL of S3 bucket it said Access-Forbidden
We tried to find a bypass for this unfortunately we found nothing.
Then my friend tried this command using Curl
curl https://random-stuff.s3.amazonaws.com/Bigfilename.zip
and it responded “200 output may miss up your terminal”
so we tried adding options for our command using “ — output file.zip”
and BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOM we were able to download the file that have all customer’s data
that holds (first name-last name-email-phone number-DOB-addresses-etc)
January 14, 2023: Reported
January 18, 2023: Triaged
January 19, 2023: Resolved and Bounty Awarded
Bengali (Bangladesh) · 
English (United States) ·