Vulnerability Summary
An unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.
Censorship Note: All data (domains, paths, URIs, JSON-RPC methods, variable names, corporate Tax IDs, emails, and company names) have been strictly anonymized using entirely fictional nomenclature (e.g.,
dashboard.internal-sec.com). This report is a simulated environment to guarantee 100% privacy for the affected program.
This writeup details a critical Information Disclosure vulnerability within a corporate Whistleblowing management platform.
An unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.
The flaw centered on a server-side JSON-RPC service that fed the graphical interface. Its actual intended purpose was to list the different available configuration "categories" through this endpoint:
pyus3rA hardcoded backend URL found in a JavaScript bundle exposed an unauthenticated API endpoint that returned 500+ records containing employee full names, enterprise client details, and internal database IDs. The writeup walks through discovering the URL in the JS bundle, querying the API, and the GDPR/business intelligence impact.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev
pyus3rThis writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
Did you discover the method through a JS file?
Via api docs
Log in to join the discussion.
Sign In