Information Disclosure via External Live Chat Service

2022-1-25 15:44:48 Author: infosecwriteups.com 阅读量:4 收藏

Shi~

Hi folks!

I hope you’re all safe and good. Today’s write-up explains how I was able to fetch website staff first names, phone numbers, e-mail addresses through an external live chat service.

I found this vulnerability in HackerOne at a private program. So we can call that program redacted.com. Firstly, I looked for a live chat service on the main domain but I can’t find anything. Then, I registered to the website. Now I can see live chat is there. I sent some messages to the live chat service. But seems it’s an auto-reply chat service. I lost my momentary joy.

After I finished my research on the main domain, I started to examine request history in Burp Suite. I saw a https://api.redactedchatservice.com/restapi/v1/team/user/members?access-token=jwttokenrequest.

Well, probably I found 298 phone numbers of live support agents!

Then I checked a phone number’s WhatsApp account to verify if it was a physical (real) sim card. Yes! That phone number has a WhatsApp account, so it’s a physical phone number. And then I immediately reported it.

Report Timeline

  • Submitted on July 2, 2021
  • Fixed on July 6, 2021
  • $$$ bounty awarded on July 20, 2021, as Medium severity.

My react after report triaged :D

Thanks for reading my first write-up. Happy to share this find with you all. If you found anything interesting feels free to share. DM me on Twitter if you have any queries. Stay home and stay safe! ♥

Our Discord Server: https://discord.gg/bug