Hello Members, I am Vishal Bharad. Works as Penetration Tester and from India.
Here I am Back with another Interesting blog on How I Hacked Everyone’s Resume/CV’s on Job Search Portal and got €€€ (Euro).
First of all this is the one of the Simplest Vulnerability which rated in CRITICAL Category on Intigriti.
I started Bug bounty on intigriti.com and while searching for programs I got one program which is related to job search portal. As there are so many programs on intigriti related to job search :D.
So they not allowed to exposed vulnerabilities related to there program so please consider the domain is target.com
Vulnerable Domain — Target.com (Redacted)
Vulnerability Type — Sensitive Information Disclosure
Affected Endpoint — https://www.target.com/profile/cv/
Attack Type — Remote
Impact — All Resume/CV’s Exposed
There is flaw of Resume/CV upload in which there is an endpoint https://www.target.com/profile-portlets/cv/ which is vulnerable to Sensitive Information Disclosure in which All CV’s are exposed to Public.
While testing I put wrong password to login and I got one mail in the Inbox which is related to my profile information and In that information I got the endpoint of my CV/Resume. Which is available publicly.
To confirm my CV is available publicly or not I have open this endpoint in Private Browser and I am able to download my resume even after not logged in with an account.
Now below are the next steps to retrieve other users CV’s/Resume’s
Steps to Reproduce:
- As my CV path is https://www.target.com/profile-portlets/cv/3535924
2. Capture the request in Burp Suite.
GET /profile-portlets/cv/3535924 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
3. Now send this request to intruder to perform manual testing.
4. In intruder set Path and set payload to numbers 1 to 9999 and start attack.
5. You can see that choose any number from the intruder which response is status is 200 and download resume.
Thank You for your time to read this article
- I reported to Private Site on 15th July 2020
- (Only Points Program) They do not pay for the vulnerabilities, but still they decided to reward me with €250
Looking forward to share more blogs
LinkedIn Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/