Information Disclosure (CWE-200)CVSS 5.3Easy

Information Disclosure — Unauthenticated API Exposes PII of 500+ Employees and Enterprise Clients

April 1, 2026

11 views

€50

Vulnerability Summary

A hardcoded backend URL found in a JavaScript bundle exposed an unauthenticated API endpoint that returned 500+ records containing employee full names, enterprise client details, and internal database IDs. The writeup walks through discovering the URL in the JS bundle, querying the API, and the GDPR/business intelligence impact.

Summary

While reviewing the frontend JavaScript bundle of a demo/showroom web application belonging to a major telecom provider, I discovered a hardcoded backend API URL pointing to an Azure-hosted service. The backend exposed a session history endpoint that required zero authentication — no Bearer token, no cookies, no API key.

A single unauthenticated GET request returned 500+ records containing:

Full names of employees
Enterprise client company names and websites (major banks, insurers, tech companies)
Session metadata: timestamps, demo types, session UUIDs
Internal MongoDB ObjectIDs

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

hackerone-reports

Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes

HackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev

Read Writeup →

pyus3r

Public Exposure of Internal API Models (.smd)

This writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.

Read Writeup →

pyus3r

Sensitive Data Exposure via JSON-RPC (Whistleblowing Channel)

An unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.

LogicalBreach Academy