Glassdoor's IDOR vulnerability to retrieve email addresses of all users without interaction

Author: safehacker_2715 Vulnerability : Insecure Direct Object Reference

safehacker_2715

~2 min read · February 24, 2026 (Updated: February 24, 2026) · Free: Yes

Disclosure: https://hackerone.com/reports/864783

The story

As a bug bounty hunter, I grind through endless hours chasing vulnerabilities. But this gem? It wasn't born from marathon sessions or meticulous scans. One lazy evening, an email from Glassdoor pinged my phone. On a whim, I tapped it on mobile… and spotted something wildly off. What unfolded next became one of my all-time favorite finds!

The uploadResume endpoint

The email was in response to my job alert creation which was mandatory on creating a new account. This feature is meant to send you alerts for a job role (ex. Software Engineer) in a chosen location. I opened the email that was requesting me upload my resume, using a link that looked like

/uploadResume?jobAlertEncryptedKey=<<Encoded job alert key here>>

I inspected the response & to my surprise it contains my email address eventhough I was unauthenicated

Decoding — jobAlertEncryptedKey

The parameter "jobAlertEncryptedKey" appeared to be a simple base64 encode. Upon decoding It looked like

All Life is experiment-1586174943118-18118324

18118324 is the job alert id that was created when I signed up. I simply changed this ID encoded it back uing base64 (without touching All Life is experiment-1586174943118- )

The response started giving email addresses back that are associated with the job alert.

Enumerating job alert identifiers

Job alert idetifiers are created sequentially making it easier for enumeration.
Once you create an account on Glassdoor, you will be prompted to create job alert and intercepting this would give you an identifier

Impact

An attacker could have methodically enumertaed IDs in reverse order, potentially harvesting millions of users' email addresses from Glassdoor's job alert system.

Fix

Glassdoor moved lightning-fast on this one — patching the bug almost immediately, thanks to its high-impact nature.

Severity: High
Bounty: $1500

Key Learnings (as a researcher)

Always scrutinize URL and API endpoints for sequential IDs, changeable keys, or predictable identifiers.
If they respond without authentication, dig into the response body for leaked user data like emails or names.
This simple habit uncovers enumeration flaws that expose millions — stay sharp and methodical.

#bug-bounty-writeup #bug-bounty-tips #bounty-program #hackerone-report