Hello Everyone, hope you're all doing great. In this write-up, we'll walk through one of my recent findings on a Vulnerability Rewards Program. Here, we will see how even after a sensitive page is restricted, due to an unprotected feature, it can lead to information disclosure.

◼️ Overview

The target was an e-learning web application where users could register via email and set up their accounts after verifying their email. Let's consider the Target's parent domain as example.com. A subdomain of it courses.example.com hosted the courses application. After going through the application for some time, it was found that the Target company also provides services to third parties to set up their course sites, and also discovered that there were different levels of privileges, such as learner, member, manager, owner, and admin. Trying to access these roles as endpoints found that only the https://courses.example.com/admin redirected to https://admin.example.com with a big restricted page. Even though this was a restricted page, it had the status code 200.

◼️ Discovery

On this admin page, I could also view only my account details, not admin's from the accounts section from my account icon at the top right corner. This feature was quite similar to the accounts section at courses.example.com, but only with an additional feature, the "Send Announcement" feature, which I did not see in my user account. Not expecting anything to happen, I clicked on the "Send Announcement" button and a form popped up with various details to fill like email id, subject, body, etc. When trying to fill in a random email ID, it auto-suggested a few email ids after putting the starting letter, which had all different email domains, including gmail. Trying to send an announcement to a random user blocked it and gave a status 401 and Unauthorized in response. Going through the BurpSuite proxy history tab, I saw that admin.example.com was querying email ids from the server through the API endpoint /api/dashboard/learners?pagesize=10&sort_key=name&sort_order=ASC&start=0 . This was the auto-suggest request made when trying to enter an email id in the announcement form.

In JSON, the response leaked the Full Name, userid, username, email, etc. of users, admins, and developers who registered on the courses site, along with my details too. So, increasing the "pagesize" parameter value leaked more people's information.

◼️ Conclusion

Hence, we can conclude that even after restricting the admin page, a single open feature in the page could leak PII records. The "Send Announcement" feature acted as a hole in the protected environment, which was responsible for the leak. As per the policy, I stopped here, reported the issue as soon as possible, and an immediate fix was implemented.

Thank you very much for reading. Have a great day!!

The End…