FirstBlood-#281Hackerback Event Details Along with Attendee's Personal Information Exposed to Public
This issue was discovered on FirstBlood v1



On 2021-05-15, netmous3 Level 4 reported:

Description:

Current and previous hackerback event information's along with the attendee's personal information was exposed to the public. The vulnerable endpoint did not employ any of the authentication mechanisms before releasing that information.

Steps To Reproduce:
  1. Create a GET request to the vulnerable endpoint while adding an extra header value as below.
    X-SITE-REQ: permitted
  2. Observe the hackerback event details in the response.
  3. Use both event id values (560700 and 560720) with query parameters to retrieve both old and current event details.
Impact:

The company could face a financial losses and credibility losses due to a patient's PII leak.
Further, there could be lawsuits against the company issued by the victims of data leak. Requests for damages, if the institution’s irresponsibility for information security is proven, will not only cause financial losses and irreversible corporate reputation, but will also mark the business in court.

P1 CRITICAL

Endpoint: /attendees/event.php?

Parameter: q

Payload: 560700 and 560720


FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.