How I Hacked Everyone’s Resume/CV’s and Got €€€

Hello Members, I am Vishal Bharad. Works as Penetration Tester and from India.

Here I am Back with another Interesting blog on How I Hacked Everyone’s Resume/CV’s on Job Search Portal and got €€€ (Euro).

First of all this is the one of the Simplest Vulnerability which rated in CRITICAL Category on Intigriti.

I started Bug bounty on intigriti.com and while searching for programs I got one program which is related to job search portal. As there are so many programs on intigriti related to job search :D.

So they not allowed to exposed vulnerabilities related to there program so please consider the domain is target.com

Vulnerable Domain — Target.com (Redacted)

Vulnerability Type — Sensitive Information Disclosure

Affected Endpoint — https://www.target.com/profile/cv/

Attack Type — Remote

Impact — All Resume/CV’s Exposed

There is flaw of Resume/CV upload in which there is an endpoint https://www.target.com/profile-portlets/cv/ which is vulnerable to Sensitive Information Disclosure in which All CV’s are exposed to Public.

While testing I put wrong password to login and I got one mail in the Inbox which is related to my profile information and In that information I got the endpoint of my CV/Resume. Which is available publicly.

CV/Resume Available Publicly

To confirm my CV is available publicly or not I have open this endpoint in Private Browser and I am able to download my resume even after not logged in with an account.

Now below are the next steps to retrieve other users CV’s/Resume’s

Steps to Reproduce:

1. As my CV path is https://www.target.com/profile-portlets/cv/3535924

2. Capture the request in Burp Suite.
Request:

GET /profile-portlets/cv/3535924 HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

My CV/Resume Path

3. Now send this request to intruder to perform manual testing.

4. In intruder set Path and set payload to numbers 1 to 9999 and start attack.

Intruder Successfull

5. You can see that choose any number from the intruder which response is status is 200 and download resume.

Other Users Resume/CV

Thank You for your time to read this article

Disclosure :

1. I reported to Private Site on 15th July 2020
2. (Only Points Program) They do not pay for the vulnerabilities, but still they decided to reward me with €250

Thanks

Looking forward to share more blogs

Best Regards

Vishal Bharad

LinkedIn Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/