Member-only story
When I was hunting on a private program, I noticed an API that was not included in their scope, so I ignored it. However, after hunting for several hours, it kept bothering me.
I checked for some basic bugs such as XSS, EXIF injection, SSRF, SQLi, code injection, etc. I found an XSS vulnerability that led me to their sandbox.
Then, I moved to their API directly to analyze it. My hacker instinct kicked in — why not give it a shot? The first thing I noticed was their message parameter and whether it was numeric.
I expected it to return a 403 Forbidden since enforcing this restriction is a common practice to prevent the enumeration of other users’ conversations.
To my surprise, I received a 200 OK response for every random number I tested. So, I quickly wrote a Python script to extract all the data and search for sensitive information.
After a couple of hours, I found numerous S3 links embedded in the chat. I manually checked them, and to my surprise, I discovered personally identifiable information (PII) of other users.
So i quickly create a report and within the day i got there response
after waiting for hours they issue a bounty of 1000 USD
stay tuned for my next write up