Abusing 'Report Abuse'

One fine day, I was invited to another private program, this being a foreign financial institution kind of company. I don't always invest time in foreign fintech companies because in most of the cases the setup itself requires a verified account and for that you need to submit some verification document and which I don't have for that country.

However, this time since I hadn't done any bug hunting for past couple of months, I thought of dabbling with this. I spent a couple of hours not finding anything, coming back to it after a few hours. 

This company also had a forum for discussion. I checked for XSS and some other common things but didn't find any. The posts in the forum went through a moderation queue.

Later on I tried fiddling with the features in the forum. There was a 'report abuse' functionality for each of the post on the forum.

Report Abuse Leaking Post not yet posted

Report Abuse Leaking Post not yet posted

Above screenshot is of a post that I created and then reported abuse for, it wasn't yet available on the forum but an attacker could still see it's contents because of 'report abuse'.

Verification

Now to verify the bug I created another account and using the report id I sent a 'report abuse' request and yeah I could see the post that wasn't yet posted. Now all I had to do was iterate over the post id, which was conveniently enough, incremental and thus I could see posts which weren't yet posted.

Since this was a financial forum, if someone posted something important financially, which the moderators didn't approve ( because it had something sensitive and shouldn't be posted on the forum ), an attacker could see those.

Report

Report

Hope this was worth your time, do checkout my youtube channel : HackingSimplified , I post videos every weekend.

YouTube channel : HackingSimplified

channel

Checkout the latest video from the channel :

Join the 'HackingSimplified' community, share, discuss, learn and grow. I post 3–4 article related to bug bounty and general cybersecurity daily here.

Discord : https://discord.gg/bGyvctT

Join the subreddit here : HackingSimplified

Telegram here : HackingSimplified

Twitter : @AseemShrey

Thanks for reading :)

Aseem Shrey

Hey! I'm Aseem Shrey.

const about_me = {
loves: "CyberSec, Creating Stuff", currently_reading: "Gandhi: The Years That Changed the World, 1914-1948", other_interests: [ "Reading 📚", "IoT Projects 💡", "Running 🏃( Aim to run a full marathon )", "Swimming 🏊‍♂️" ], online_presence: HackingSimplified AseemShrey };
Ping me up if you wanna talk about anything.

About meJoin newsletterGitHub