.png)
8 months ago
70 BOOK THIS SPACE FOR AD
ARTICLE ADhello Hackers, this is my first writeup i will shows you how i can read all user’s private route comments.
| Understanding target
This target is for sports and exercises, its a public program. It allows the user to create his own exercise and share it with friends. You can share the result of your exercise as a post. There are two types of exercises, routes and workout, and there are three types of post privacy: public post, private post and friend only post.
You can infer each type of privacy from its name, but for clarification
Public post: Any user can see it, interact with it, and see its comments
private post: No one can see it except you
friends only post: Only people on your friends list can see it.
| the bug
while i am testing this target, after creating the route i noticed that if I write more than five comments, a new function appears that caught my attention called read all comments.
Immediately, I turned on the interceptor and clicked on read all comments
I found the request like this.
The parent_story_id parameter caught my attention
I thought to myself: What if I changed this ID to the victim’s private post ID?
So I actually changed the ID to the victim’s ID and boom.
In the response there are all the comments of the private post and information about who made the comments.
i reported this bug and get accepted as a valid issue.
my linkedin: Youssif Mohamed
i hope you enjoy this writeup don’t forget to like :).
Bengali (Bangladesh) · 
English (United States) ·