User information disclosure via message reactions
Hello hackers I’m Mostafa Elguerdawi, I have returned once again with a new article about one of my latest findings.
Firstly, the vulnerability has not been resolved yet, so I won’t mention the name of the program because its a public program.
After creating an account and spending a day and a half understanding the program, I found a feature in it that allows anyone to mention other users in the program’s posts just by knowing their email addresses, So, I created two accounts, one for the victim and the other for the attacker.
I logged into the victim’s account and went to a post related to the program. Then, I mentioned the attacker in the post’s messages. Afterward, I opened the attacker’s email to see the notifications and found that someone had mentioned me, but I couldn’t identify who they were or any information about them except his first name
After opening the notification, I found that I could react or reply to the message from the victim who mentioned me in the post.
Then, I interacted with the message from the victim and intercepted the request using Burp Suite.
After that, I sent the request to the Repeater in Burp Suite and analyzed the response.
I found many private and sensitive information about the victim in the response.
Personal and private information:
- Account status
- Role
- Email Creation date
- Email updating date
- Notification rules
- Two factor auth status
I reported them, and the triager accepted the report with a medium severity level.