From publicly available database leak to high impact business logic error
Hello everyone this is my first writeup I hope you guys will like it let’s get started :)
My target is private so will call it target ,it is tech giant company with many subsidiaries
Usually i start with passive recon I started with normal GitHub recon like
target “api” , target “token” etc
Had no success with that so I remembered best writeup from Prateek Tiwari where he mentioned about scribd.com
what is scribd ?
Scribd is an American e-book and audiobook subscription service that includes one million titles. Scribd hosts 60 million documents on its open publishing platform.
So I used simple dork like
Site: scribd.com “target” got few result with no sensitive info
Now I searched one more dork
Site: scribd.com “TARGET”
Here I just gave my target name in capital letter got one pdf that has publicly available database info of more than 1k employs with their phone number , salary ,email, address etc in public pdf form
I was like ohh yesss
Now after this reported to company , they removed that pdf within a hour now bounty time , I ask for bounty
They said for this subsidiary we don’t have bug bounty program
I was like wtf ?? Really !
After few days I got to know they have one subsidiary which is having online shopping website , and running bugbounty program I tried to find something here
Now after finding few subdomain for this subsidiary , one subdomain got my attention that was for all the employ who work for my target company where they can shop and get discount
So I thought to give try to this ,one classic idea came to my mind , what is if employ left job but still able to purchase anything on discount ??
How account making process work :
target domain uses employ government id after uploading it and entering government id number it will check that if employs exist with that number in database or not if yes it will create account :d
As I already having my target company database , I asked for red team permission after getting permission I contacted one of person (who has left job) using his phone number from database info I collaborated with him and I using his government id I was able to make account
So now I was able to buy anything with discount even if that employ has left job
This has created huge business loss and complete business logic error where target don’t delete old employ details from database
After few days reporting this got reply like this
So this was everything about my first writeup if anybody having questions or suggestions contact me via twitter
