Inside the Digital Vault: How I Unearthed PII Goldmine — Exposing 15K GST Users’ Information in a…

Greetings, everyone!

Thank you for returning to follow my third write-up. In today’s discussion, we will dive into a critical vulnerability. Specifically, I will be detailing how I identified and accessed the names and GSTIDs of nearly 15,000 users.Lets name the target as redacted.com .Without further delay, let us navigate through the intricacies of this discovery.

Wait…. Lets have a small introduction about me:

My name is Mohaseen , I’m a cyber security enthusiast and a bug bounty hunter. I am learning about bug bounty and web application hacking from 2019 . And I love what I do.

Now let’s understand the bug.

It is a government website that holds fundamental information and is a part of the Department of Revenue under the Ministry of Finance, Government of India.

In my routine reconnaissance of the site, I began navigating it as an ordinary user would.But didn't find anything.During this exploration, I got an idea lets do some google dorks on the site and i have done few dorks but didn't find much then its time to open my Brahmāstra

The Dork which i made by combining few dorks which is simple to see but helped me to find many sensitive information disclosure in NASA also.Writeup about NASA bug which got duplicated will be coming soon.

After entering the dork and accessing all the urls one by one. i Landed across a url where an excel sheet is downloaded and i opened the sheet and BOOM🤯 !!

It contain almost 15K users with their name and GSTID.

The impact of the identified bug is substantial, encompassing the exposure of sensitive information for nearly 15,000 users. The compromised data includes individual names and GSTIDs, which are pivotal pieces of personally identifiable information. Such a breach poses a significant threat to the affected individuals, potentially leading to identity theft, financial fraud, or other malicious activities.

After 5 days i got a reply from NCIIPC that the report is Valid

Getting second Appreciation is very great feeling. Thank you Infosec community for sharing the knowledge.

I hope you learned something new reading this. Thank you so much for reading. Have a great day😊!