Blind Information Disclosure due to heavy misconfiguration

4 min readDec 18, 2020


Hi everyone,

I am Aditya Shende (Kong) from India. A bounty hunter , biker and researcher. I know title of story is pretty weird but finding and logic behind it is really awesome(I feel), Without wasting time I will start arrow about my finding .

A proper and more functional target which I like most while hunting. Can’t disclose a name of it, Yeah its private one . Lets call it as (sab yahi dalte he). Whenever I used to check any application I see virtual exploits in mind so thinking is it may happen , it may be vulnerable so on. Point is why no to try, I did it.

While checking application I found there is no verification for account creation so just create account and go login page to access your account. Yes , This is how I used to check function as normal user. For extra privileged account I visit to see company employee emails and tried to create account using that email = No success, Another stuff I tried — Tried account creation using = No success .

So I started again on register form that we know it is buggy for email-ID enumeration . So what ?? Its P5.

So Email Enumeration is valid no matter what priority (P5).

I created account with (xD) because was already created . I got mail on which was showing email Id , Password for login and phone number for that Ahh weird !!! Common bruhhhh, alias as usual.

Evil hack Kong

So I have access over but for registration I can’t force user to create account with +anynumberhere . Example : So I again log in into and updated my phone number and again I got mail on — “Your phone number is updated to +91 XXXXXXXXX”. So function is whatever we update in account it was giving all updates on email.

Phone number and password is fake,xD

Here I chaged game . I accessed my account on and changed my email ID to, As usual got mail on that your updated mail ID is (It must say “already in use”). So point is is able to login with 2 passwords. Because one is mine(attacker ) another one is victim . So I tried luckily it was working on both passwords.

So what’s impact here ?? When victim user update any information like email -ID , Phone number and other functions it will send update email on my gmail account. IDK when user will update his/her information so its BLIND. So all over world the users of are 78k+ , And yessss they all are buggy, Whatever they will update , Hacker will get information which priority is P1 because data contain username , password, phone number, email-ID, Address etc.

Steps to reproduce:

  1. Enumerate email ID’s from register function (
  2. Create account of yours ( which you have access on gmail
  3. Login to with and update your email to
  4. You can say ATO also(hahahhaaha), malfunctioning part is its update everything to main email.
  5. Passwords on for hacker and victim are qazwsx and qwerty respectively .
  6. Victim can log in using qwerty and qazwsx also (Misconfiguration)

Threat: Using register form hacker enumerate emails and hacker can perform specific attack to gain sensitive information as in whenever victim updates any information in account it send email which contains sensitive information.

Email verification is important | Check user exist or not | Give privileges to user that he can enable/disable notifications over mail

Yes its my 1st article

That's all from my side, If I made any mistakes , Let it be. I hope you learned something new.

Jai Hind




#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker