User information disclosure via message reactions

Mostafa Elguerdawi
2 min readMar 21, 2024

Hello hackers I’m Mostafa Elguerdawi, I have returned once again with a new article about one of my latest findings.

Firstly, the vulnerability has not been resolved yet, so I won’t mention the name of the program because its a public program.

After creating an account and spending a day and a half understanding the program, I found a feature in it that allows anyone to mention other users in the program’s posts just by knowing their email addresses, So, I created two accounts, one for the victim and the other for the attacker.

I logged into the victim’s account and went to a post related to the program. Then, I mentioned the attacker in the post’s messages. Afterward, I opened the attacker’s email to see the notifications and found that someone had mentioned me, but I couldn’t identify who they were or any information about them except his first name

After opening the notification, I found that I could react or reply to the message from the victim who mentioned me in the post.

Then, I interacted with the message from the victim and intercepted the request using Burp Suite.

After that, I sent the request to the Repeater in Burp Suite and analyzed the response.

I found many private and sensitive information about the victim in the response.

Personal and private information:

  • Email
  • Account status
  • Role
  • Email Creation date
  • Email updating date
  • Notification rules
  • Two factor auth status

I reported them, and the triager accepted the report with a medium severity level.

--

--