Unauthenticated IDOR in Employee Login Exposes PII to more than 100K Users

بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ

Hi geeks,

A few weeks ago, I worked on a Private BBP on the HackerOne platform. I usually start my testing with passive and active recon to discover subdomains and learn more about the target. Following this, I’m trying to get subs doesn’t fame with other hackers.

First, I try to find subs that passive recon tools couldn’t detect by using my lovely active recon ways :))

Here we go, I’ve found a new subdomain: example2.example.com

It’s an Employee login for the company

Okay, let’s start our magic now :)

Easy HTMLi in the mail

First, within just a few minutes, we discovered an endpoint for “request user” page that triggers when an employee forgets their password or has login issues. This endpoint sends an email to both the administrator and the employee who sent. From this form, we got an easy HTMLi in the email :)

Searching for a big chicken

We started on the subdomain and found an easy HTML injection in just minutes. But I think we have a big chicken here with high impact :)

So I started reviewing source code and analyzing js files (the missing treasure).

I found a juicy endpoint “/user_management.edit_user_new?p_inst_id=316569953&p_usr_id=-1”

After opened it I found that give me a nice error that I should have a necessary cookies for that

So now I tried to open the endpoint with the default cookies in the login page or redirected from it.

LOL, that’s another hidden endpoint for “request user” page but now the endpoint have an interested parameters we can play with it :)

After changing the value of “p_user_id” parameter to positive number such as “p_user_id=1” , I found PII Dislosure to all users (Employees & customers) more than 100K users

If you’ve made it this far, I hope you found this write-up helpful. My apologies if there were any issues along the way…HAVE A NICE DAY!