How I Hacked Everyone’s Resume/CV’s and Got €€€

Hello Members, I am Vishal Bharad. Works as Penetration Tester and from India.

Here I am Back with another Interesting blog on How I Hacked Everyone’s Resume/CV’s on Job Search Portal and got €€€ (Euro).

First of all this is the one of the Simplest Vulnerability which rated in CRITICAL Category on Intigriti.

I started Bug bounty on intigriti.com and while searching for programs I got one program which is related to job search portal. As there are so many programs on intigriti related to job search :D.

So they not allowed to exposed vulnerabilities related to there program so please consider the domain is target.com

Vulnerable Domain — Target.com (Redacted)

Vulnerability Type — Sensitive Information Disclosure

Affected Endpoint — https://www.target.com/profile/cv/

Attack Type — Remote

Impact — All Resume/CV’s Exposed

There is flaw of Resume/CV upload in which there is an endpoint https://www.target.com/profile-portlets/cv/ which is vulnerable to Sensitive Information Disclosure in which All CV’s are exposed to Public.

While testing I put wrong password to login and I got one mail in the Inbox which is related to my profile information and In that information I got the endpoint of my CV/Resume. Which is available publicly.

Image for post
Image for post
CV/Resume Available Publicly

To confirm my CV is available publicly or not I have open this endpoint in Private Browser and I am able to download my resume even after not logged in with an account.

Now below are the next steps to retrieve other users CV’s/Resume’s

Steps to Reproduce:

  1. As my CV path is https://www.target.com/profile-portlets/cv/3535924

2. Capture the request in Burp Suite.
Request:

GET /profile-portlets/cv/3535924 HTTP/1.1
Host:
www.target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Image for post
Image for post
My CV/Resume Path

3. Now send this request to intruder to perform manual testing.

4. In intruder set Path and set payload to numbers 1 to 9999 and start attack.

Image for post
Image for post
Intruder Successfull

5. You can see that choose any number from the intruder which response is status is 200 and download resume.

Other Users Resume/CV

Thank You for your time to read this article

Disclosure :

  1. I reported to Private Site on 15th July 2020
  2. (Only Points Program) They do not pay for the vulnerabilities, but still they decided to reward me with €250
Image for post
Image for post

Thanks

Looking forward to share more blogs

Best Regards

Vishal Bharad

LinkedIn Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/

Penetration Tester, Bug Bounty Hunter, Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store