Hello everyone!

Today we’re going to talk about the vulnerability I found a few months ago. The vulnerability targeted customers and suppliers directly in the company, also was a subdomain of a large skincare company. (This report has been resolved but I can’t provide information about the company because it runs a private program) I will try to explain this vulnerability to you briefly. I hope I can contribute to the development of your know-how. So let’s get started.

Recon is not dead!

First, I was on crt.sh and after several unsuccessful hacking attempts to other subdomains I found this subdomain. The subdomain was just an employee panel and no other features. It only covered the login panel.

I ran LinkFinder on that panel and found a few JS files from the app. One of the JS files won my priority because the filename contained the word “login”.

The href part is interesting. If we had a successful login it would redirect us to ‘App/Index/#!/Dashboard’. But does it really control? Here’s the time to test the Broken Access Control.

I went directly to the href address without logging in and was successfully able to access the app’s dashboard! No need to login.

But that is not all. Because there was something wrong. The application dashboard didn’t return any data. I could only see the interface. Everything was zero.

More recon get results & It’s hacktime!

Here is the exciting part. I needed more endpoints because that JS file didn’t contain any other endpoints. I went back to Linkfinder and started inspecting all the JS files I found. Before long, I reached the following endpoints.

I’ve tried a few endpoints and all, and I had some results as “Inbound” and “Outbound”. (These meant customers and suppliers.)

I came across such a tab and the file upload function was ineffective. However, the ‘Customer’ button in the ‘Download Templates’ tab was working. (Likewise the ‘Suppliers’ button in Inbound) BINGO!

I got all (5200-odd) the customers and suppliers’ PII information in the app. (Both csv files contain customer_code, name, address, phone.)

I had to download and search to check if the data was genuine. I did NOT go further than this step.

This report is rated high severity and fixed several months ago. And here is my tweet:

https://twitter.com/canmustdie/status/1471101658679681024

That’s all for now. Thanks for reading. See you in another write up!

You can follow me on twitter: https://twitter.com/canmustdie