PII Disclosure Worth $750

Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how I found PII disclosure in one of the Unicorn of India. The company is having a public bug bounty program on Hackerone. I will be using redacted.com as the main domain.

The company is a technology platform through which customers book different types of services.

www.redacted.com and api.redacted.com are in scope. As usual, I started exploring the application and capturing every request in the proxy tool burp suite. redacted.com is the main domain but all the traffic routes through api.redacted.com. I used the company in the past to book some services so I have some bookings in my account.

After exploring the application, I started reviewing all the requests and responses from the api.redacted.com. There is one endpoint https://api.redacted.com/api/v2/help-recovery/gethelp/getHelpFlow POST request to the endpoint with body {"user_type":"customer","flow_type":"request","request_id":"XXXXX","group_key":"view_payment_summary_group","mode":"published"} is used to fetch the payment summary of the booked service. During reviewing the response of the endpoint. I found that the personal contact details of the service provider in key masked_number are exposed in plain text.

You can see in the above image that you need request_id (which is the booking id) to fetch the contact details of the service provider here request_id is not brute forcible and there is a proper authorization check on the API endpoint.

So, to increase the impact of the vulnerability I made 3–5 new COD bookings for the next day. The service provider for the upcoming booking is assigned within 30 min of creating a booking. I hit the vulnerable API endpoint https://api.redacted.com/api/v2/help-recovery/gethelp/getHelpFlow with a new request_id to fetch contact details of the service provider assigned to that specific booking and then I canceled the booking so that I don’t have to pay any cancellation charge.
Cancellation Terms: Free cancellation till 3hrs before the booked slot, post that Rs 100 chargeable.

I reported this issue to the security team through Hackerone. The Company fixed the issue and rewarded a bounty of $750.

Timeline:

June 30, 2023 — Reported

July 14, 2023 — Fixed and $750 Bounty awarded.

To schedule a one-on-one session with me, please make a booking through the Topmate platform.

Thanks for reading, hope you learned something new. Do clap and share if you like. See you in part-II with new bug. Happy Hacking!

Twitter: 7he_unlucky_guy
Linkedin: Vijeta
Topmate: Vijeta