PII Disclosure Worth $750
Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how I found PII disclosure in one of the Unicorn of India. The company is having a public bug bounty program on Hackerone. I will be using redacted.com as the main domain.
The company is a technology platform through which customers book different types of services.
www.redacted.com and api.redacted.com are in scope. As usual, I started exploring the application and capturing every request in the proxy tool burp suite. redacted.com is the main domain but all the traffic routes through api.redacted.com. I used the company in the past to book some services so I have some bookings in my account.
After exploring the application, I started reviewing all the requests and responses from the api.redacted.com. There is one endpoint https://api.redacted.com/api/v2/help-recovery/gethelp/getHelpFlow
POST request to the endpoint with body {"user_type":"customer","flow_type":"request","request_id":"XXXXX","group_key":"view_payment_summary_group","mode":"published"}
is used to fetch the payment summary of the booked service. During reviewing the response of the endpoint. I found that the personal contact details of the service provider in key masked_number
are exposed in plain text.