How I was able collect PII of all users
Hello Folks 👋,
Parth, this side from BUG XS team. In this write up I am going to explain how I was able to retrieve Personal Identifiable Information (PII) of all users. If you want to learn more about vulnerability and exploits, don't forget to join us in our Bug Bounty Journey. Click here and DM us to get started.
Now the Vulnerability 🐱👤. Lets keep target name as redacted.com.
Here is the flow of the website:
- After entering credentials on login page server sends a POST request to prodapi.redacted.com
- “prodapi.redacted.com” has one parameter : email.
As it was a POST request, I tried to CURL the request and also created a CSRF PoC in Burpsuite professional and tried to executed the generated PoC in browser and the following result was obtained.💥
This data had phone number, email address, location, and the most important thing ID of the user which can help attacker to execute IDOR and other related attacks.👀👀
To verify that I could get data of all registered user, I created 3 more accounts on redacted.com and changed the email parameter in CSRF PoC. When I submitted the request, I could see all the above details of all the users.
