UNAUTHORIZED ACCESS LEADS TO PII DATA LEAKAGE

Hello Everyone,

My name is pulla karthik Srivastav (security researcher) from Telangana, am so excited as this is my first write up on vulnerability assessment of webapp. I was searching for a vulnerability disclosure program using the bug bounty dork:

responsible disclosure bounty r=h:in

paste the google dork in search bar of google from that I have selected a vulnerability disclosure program.

Lets start,

Bug type:

UNAUTHORIZED ACCESS LEADS TO EXPOSURE OF PII DATA OF EMPLOYEES OF COMPANY

Tools required:

→Sublist3r

→amass

→assetfinder

→Findomain

→subbrute

→Extension of bulk URL opener

→httprobe ( to get live websites )

Initially, let us assume the target domain as target.io and the scope of Vulnerability disclosure program is *.target.io. I have started the subdomain enumeration of the target using mentioned tools

Sublist3r tool command in kali Linux:

sublist3r -d target.io -v -b > sub.txt

amass tool command in kali Linux:

amass enum -d target.io | httprobe> sub1.txt

assetfinder tool command in kali Linux:

./assetfinder target.io| httprobe > sub2.txt

Findomain tool command in kali Linux:

./findomain-linux -t target.io| httprobe > sub3.txt

subbrute tool command in kali Linux:

./subbrute.py target.io| httprobe > sub4.txt

After collecting all the subdomains lets sort the unique ones and store them in one file with the below command:

cat sub.txt sub1.txt sub2.txt sub3.txt sub4.txt | sort -u

By using this command we can filter the duplicates subdomains, Now I have copied all the subdomains and pasted in the bulk URL opener extension this extension helps us to open the bulk urls at a time in a browser.

I was visiting each and every subdomain surprisingly I found a unique subdomain where it redirected me to the google account page which is showing to login via google account.

After that I have tried to login via my personal google account BOOM!! it got logged in via my personal account I have tried with other google account too this means any user can access the subdomain using any google account. Therefore, we can conclude that there is some security misconfiguration where the webapp allows any user to access the website, basically the subdomain consists of data CatLog like datasets and users data.

I was surfing the subdomain after getting logged in, I found a search bar at top right corner. I simply gave a random text like “ user” ,immediately it displayed me a section in that I have seen a check box of “users". After clicking that, it displayed me the data of employees working in that company(PII data leakage due to misconfiguration). The data leaked is name and email address(mail id associated with the company to every individual ). I got the data of almost 1400 users of working employees of the company.

Impact:

PII data leakage of employees of company.

Solution:

Restrict this subdomain to only admin.

Ethically Reported and the program accepted the bug and rated the severity as Medium.

Thanks for Reading.

Happy Hacking!!