Information Disclosure : 80+ Emails and LongID Disclosed !!
Hello Friends 👋 I am Pushkar Nandwalkar working as a Security Analyst and this is my first write-up, and I’m always looking to improve, so your feedback would mean a lot to me!
So lets Begin!!!
So, the target is a service that provides user-friendly encryption for emails. It also offers additional features such as encrypted attachments and secure storage of private keys. So the customer data and the keys are very sensitive here.
Let’s jump to the main part
So there are only 3–4 specific endpoints in-scope :
target.com/me/
target.com/account
target.com/api
target.com/pub
Now during Recon, I started gathering information from web archive about the target. I found many usernames that were registered on this target.com. After opening any URL I can see that I can send a encrypted message to the particular user. To send a message you must login with their Google oauth.
Now during fuzzing, I observed one endpoint /pub which was showing a blank page. Now one tip I have got through many bug hunters is whenever you visit a directory and you get a blank page, fuzz it!!!
After fuzzing the blank page with my custom wordlist, I got a endpoint /pub/{user} which was disclosing the mail id of the user and also the LongID which must only be known to the user.
Visiting the URL https://target.com/pub/{user} I was able to see the details and then I suddenly remembered that I have got some usernames via web archive. So I entered every username and I was able to get 80+ mail ID’s and their LongID.
I immediately prepared a detailed report and sent to the security team. The response was quick and the vulnerability was patched in 2 days.
Thanks for reading, hope you learned something new. Do clap and share if you like. Be fearless and Happy Hacking and many more blogs to come!!!!
You can connect me on Linkedin : pushkarhax
Cheers. Have a Great Day !!!!
