Abusing 'Report Abuse'

One fine day, I was invited to another private program, this being a foreign financial institution kind of company. I don't always invest time in foreign fintech companies because in most of the cases the setup itself requires a verified account and for that you need to submit some verification document and which I don't have for that country.

However, this time since I hadn't done any bug hunting for past couple of months, I thought of dabbling with this. I spent a couple of hours not finding anything, coming back to it after a few hours. 

This company also had a forum for discussion. I checked for XSS and some other common things but didn't find any. The posts in the forum went through a moderation queue.

Later on I tried fiddling with the features in the forum. There was a 'report abuse' functionality for each of the post on the forum.

Report Abuse Leaking Post not yet posted

Report Abuse Leaking Post not yet posted

Above screenshot is of a post that I created and then reported abuse for, it wasn't yet available on the forum but an attacker could still see it's contents because of 'report abuse'.


Now to verify the bug I created another account and using the report id I sent a 'report abuse' request and yeah I could see the post that wasn't yet posted. Now all I had to do was iterate over the post id, which was conveniently enough, incremental and thus I could see posts which weren't yet posted.

Since this was a financial forum, if someone posted something important financially, which the moderators didn't approve ( because it had something sensitive and shouldn't be posted on the forum ), an attacker could see those.



Hope this was worth your time, do checkout my youtube channel : HackingSimplified , I post videos every weekend.

YouTube channel : HackingSimplified


Checkout the latest video from the channel :

Join the 'HackingSimplified' community, share, discuss, learn and grow. I post 3–4 article related to bug bounty and general cybersecurity daily here.

Discord : https://discord.gg/bGyvctT

Join the subreddit here : HackingSimplified

Telegram here : HackingSimplified

Twitter : @AseemShrey

Thanks for reading :)

Aseem Shrey

Hey! I'm Aseem Shrey.

const about_me = {
loves: "CyberSec, Creating Stuff", currently_reading: "Gandhi: The Years That Changed the World, 1914-1948", other_interests: [ "Reading 📚", "IoT Projects 💡", "Running 🏃( Aim to run a full marathon )", "Swimming 🏊‍♂️" ], online_presence: HackingSimplified AseemShrey };
Ping me up if you wanna talk about anything.

About meJoin newsletterGitHub