Getting access to 25000 employees details
I want to share one of my findings in a private program on HackerOne, which was — critical but straightforward one. During testing for that private program. I found an endpoint for Internal team management.
Internal Team management endpoint
After opening the endpoint (refer the Image above), the only thing running in my mind was “How about I check the directories.” Thus, I immediately utilized Dirsearch to brute force all the directories.
Here is the exciting output. xq I renamed dirsearch to `dir` because I am lazy :v
It’s https://37.–.–.–/register :P
Upon opening the URL.
Yuss!!!! Registration page. 😮 anddd….
I tried to register with my details. And.. there was a configuration error. I was like…
I decided to register one more time with the same email and ended up with an error i.e.
“The email is already registered.”
okay, let’s go and log in.
So, I tried to log in with my registered credentials anddd…..
Successfully Logged in….
Admin management page.
All administrators name & email address was disclosed, I was even able to delete them.
Typical employee details pages
Disclosed details include Name, Email, Phone-No, Employee ID, Shifts, Reports, Salaries etc.
Typical Employee details (25k Records)
Sorry, but I needed to hide some details due to confidentiality issues. Some other critical data was disclosing too but don’t have permission to write further.
After verifying the issue, I quickly submitted the detailed report to the program via HackerOne. They validated and fixed the problem within a few hours.
They permanently fixed the issue by removing the public registration page from the endpoint.
After reporting the issue, I applied dirsearch on most of the critical endpoints belongs to them however no more endpoint was vulnerable to the same problem.
Report Submitted: 25–10–2017
Report Triaged: 25–10–2017
Initial 1300$ Awarded: 25–10–2017
Report closed as Resolved: 25–10–2017
Final 1200$ Awarded: 26–10–2017