Abusing 'Report Abuse'

Abusing 'Report Abuse'

By Aseem Shrey on
bug bounty

One fine day, I was invited to another private program, this being a foreign financial institution kind of company. I don't always invest time in foreign fintech companies because in most of the cases the setup itself requires a verified account and for that you need to submit some verification document and which I don't have for that country.

However, this time since I hadn't done any bug hunting for past couple of months, I thought of dabbling with this. I spent a couple of hours not finding anything, coming back to it after a few hours.Ā 

This company also had a forum for discussion. I checked for XSS and some other common things but didn't find any. The posts in the forum went through a moderation queue.

Later on I tried fiddling with the features in the forum. There was a 'report abuse' functionality for each of the post on the forum.

Report Abuse Leaking Post not yetĀ posted

Report Abuse Leaking Post not yetĀ posted

Above screenshot is of a post that I created and then reported abuse for, it wasn't yet available on the forum but an attacker could still see it's contents because of 'report abuse'.

Verification

Now to verify the bug I created another account and using the report id I sent a 'report abuse' request and yeah I could see the post that wasn't yet posted. Now all I had to do was iterate over the post id, which was conveniently enough, incremental and thus I could see posts which weren't yet posted.

Since this was a financial forum, if someone posted something important financially, which the moderators didn't approve ( because it had something sensitive and shouldn't be posted on the forum ), an attacker could see those.

Report

Report

Hope this was worth your time, do checkout my youtube channelĀ : HackingSimplifiedĀ , I post videos every weekend.

YouTube channelĀ : HackingSimplified

channel

Checkout the latest video from the channel :

Join the 'HackingSimplified' community, share, discuss, learn and grow. I post 3ā€“4 article related to bug bounty and general cybersecurity daily here.

DiscordĀ : https://discord.gg/bGyvctT

Join the subreddit hereĀ : HackingSimplified

Telegram hereĀ : HackingSimplified

TwitterĀ : @AseemShrey

Thanks for readingĀ :)

Aseem Shrey

Hey! I'm Aseem Shrey.

const about_me = {
    loves: "CyberSec, Creating Stuff",
    currently_reading: "Dopamine Nation: Finding Balance in 
the Age of Indulgence",
    other_interests: [
        "Reading šŸ“š",
        "IoT Projects šŸ’”",
        "Running šŸƒ( Aim to run a full marathon )",
        "Swimming šŸŠā€ā™‚ļø"
    ],
    online_presence: HackingSimplifiedĀ AseemShrey
};

Ping me up if you wanna talk about anything.

About meJoin newsletterGitHub