How I Discovered and Reported a PII Disclosure Vulnerability

Kongsec
3 min readMay 5, 2023

Hi everyone,

I am Aditya Shende (Kong) from India. A Bounty Hunter , Biker and Researcher.

This is my 11th article , If you found any spell error. Let it be….. Lets start

As technology continues to advance, protecting user privacy and security is becoming more important than ever. Unfortunately, recent reports have shown that some companies are failing to adequately protect sensitive data, resulting in serious breaches of user privacy.

One such example is the recent discovery of an information disclosure vulnerability in several API endpoints used by Cloud’s Marketplace. These endpoints were found to be disclosing personally identifiable information (PII) data, including phone numbers, addresses, access keys, postal codes, seller IDs, and personal information such as house addresses. This is a serious breach of user privacy and security, as this information can be used by malicious actors for identity theft, fraud, and other illegal activities.

To reproduce the vulnerability, all one needs to do is send a GET request to any of the affected URLs listed in the report. The response will contain PII data, including the sensitive information mentioned above.

The impact of this vulnerability is significant, as the disclosure of PII data can lead to serious privacy and security issues for users. It is therefore crucial that immediate action is taken to address this issue and protect user privacy. The report recommends that the affected endpoints be taken down immediately until the issue is resolved, and that the development team investigate the root cause of the issue and fix it as soon as possible.4

In addition, a thorough security audit should be conducted to ensure that no other endpoints or systems are vulnerable to similar data disclosure issues. The affected users should also be notified about the breach and provided with instructions on how to protect themselves from potential fraud or identity theft.

This is not the only vulnerability discovered in Cloud’s Marketplace. Another vulnerability was found in the URL https://staging.example.com/api/marketplace/v1/portal/product/query?forms=1104&page=1, which is vulnerable to an information disclosure vulnerability. The “forms” parameter is revealing the ISV ID in an encoded form, which in turn is disclosing business information. The impact of this vulnerability is that it is exposing sensitive information that could be used by attackers to target specific businesses or individuals.4

I escalated the vulnerability by using Burp Suite’s Intruder tool, where I selected the position of the ISV ID parameter and tested various values to see if any sensitive information was being revealed. This allowed me to confirm that the vulnerability existed and determine the specific parameter that was being disclosed.

To reproduce this vulnerability, one needs to go to the URL mentioned above and observe that the ISV ID is being revealed in an encoded form. Decoding the ISV ID will reveal sensitive business information.

--

--

Kongsec

#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker