How I Hacked Everyone’s Resume/CV’s and Got €€€

Hello Members, I am Vishal Bharad. Works as Penetration Tester and from India.

Here I am Back with another Interesting blog on How I Hacked Everyone’s Resume/CV’s on Job Search Portal and got €€€ (Euro).

First of all this is the one of the Simplest Vulnerability which rated in CRITICAL Category on Intigriti.

I started Bug bounty on intigriti.com and while searching for programs I got one program which is related to job search portal. As there are so many programs on intigriti related to job search :D.

So they not allowed to exposed vulnerabilities related to there program so please consider the domain is target.com

Vulnerable Domain — Target.com (Redacted)

Vulnerability Type — Sensitive Information Disclosure

Affected Endpoint — https://www.target.com/profile/cv/

Attack Type — Remote

Impact — All Resume/CV’s Exposed

There is flaw of Resume/CV upload in which there is an endpoint https://www.target.com/profile-portlets/cv/ which is vulnerable to Sensitive Information Disclosure in which All CV’s are exposed to Public.

While testing I put wrong password to login and I got one mail in the Inbox which is related to my profile information and In that information I got the endpoint of my CV/Resume. Which is available publicly.