Sensitive Information Disclosure (Critical Finding)

Hi Connection,

Welcome Back!

I’m Abhishek Pal, a Bug hunter, and I’m excited to share my latest discovery with you. In this post, I’ll walk you through my experience of finding a straightforward bug in an application that features a shopping functionality. I’ve had my fair share of adventures, and this particular experience was quite interesting.

After initially discovering some low and medium-level vulnerabilities, I decided to elevate my search to high-level vulnerabilities. Unfortunately, my initial efforts didn’t yield the desired results. I invested a significant amount of time, around 2–3 hours, to thoroughly check the application, but I couldn’t find any critical or high vulnerabilities present. This led me to shift my focus to automation, utilizing various tools such as Fuff, Dirseach, Dirb, Nuclie, and more.

While using the Dirseach tool, I identified a directory that returned a status code of 200 OK. Upon exploring this endpoint, I found a static page where users could enter their email addresses to receive notifications. I was curious to see how this feature worked, so I entered an email address and captured the request.

What I observed next was quite interesting — the application was disclosing sensitive information, including email addresses, usernames, locations, and mobile numbers — all of which are personally identifiable information (PII).

I decided to take it a step further and tested the endpoint with another email address. To my surprise, the application continued to leak PII data simply by entering an email address. This was a critical vulnerability that needed to be reported immediately. I promptly reported this issue, and I’m glad I could help the application owners fix this vulnerability and protect their users’ sensitive information.

Reported Data: 10–09–2024

Traige : 11–09–2024

Bounty : Undisclosed