Accessing deleted comment for $$: A Bug Bounty Writeup

Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how I was able to access deleted comments on a community thread of a website. I will be using redacted.com as the main domain.

*.redacted.com is in the scope. As usual, I started with subdomain enumeration and found 500+ live subdomains. I took screenshots of all subdomains using tool aquatone and started reviewing them. One of the screenshot having subdomain name community.redacted.com caught my eyes.

Community website at community.redacted.com where authenticated user can create a thread, interact with other thread and can interact with other users. I started exploring the website and capturing every request in the proxy tool burp suite.

After exploring the website, I started reviewing all the requests and responses from the community.redacted.com. There is one GET endpoint https://community.redacted.com/ajax/ugc/frontend/comment/getComment?id=comment_id&tid=thread_id which is used to fetch comment from the thread based on the parameter id=comment_id&tid=thread_id . Both comment_id and thread_id is long numeric string. I open the GET endpoint https://community.redacted.com/ajax/ugc/frontend/comment/getComment?id=comment_id&tid=thread_id in the browser and found that all the comment from my thread is visible in the JSON response.

What i did next is I deleted the comment from my community thread and in UI no comment is visible in my thread as i deleted it.

I reopened the same GET endpoint https://community.redacted.com/ajax/ugc/frontend/comment/getComment?id=comment_id&tid=thread_id in the browser and found that the deleted comment is still visible in JSON response. Thread comment is only deleted from the UI but not actually deleted from the backend/database so anyone or thread owner can access the deleted comment of the thread.

The bug is not having too much of impact because of long numeric comment_id and thread_id. Anyone can access the deleted comment if comment_id is know or they captured the comment_id of a thread before deletion of comment. I sent report to the security team as this is violation of privacy of the user. Security team accepted the report as Low and fixed it.

Security Team to Me

Timeline:

Nov 09, 2021 — Reported

Nov 24, 2021 — Triaged

Dec 8, 2021 —$$ Rewarded

Dec 24, 2021 — Fixed.

To schedule a one-on-one session with me, please make a booking through the Topmate platform.

Thanks for reading, hope you learned something new. Do clap and share if you like it. Happy Hacking and Try Harder!.

Twitter: 7he_unlucky_guy
Linkedin: Vijeta
Topmate: Vijeta