Bug Bounty

All about electronic devices security
https://mail.bugbounty.com.au/

Private data related to program exposed via /reports/<id>.json endpoint to external user participant

https://mail.bugbounty.com.au/viewtopic.php?t=96

Page 1 of 1

Private data related to program exposed via /reports/<id>.json endpoint to external user participant

Posted: Sun Oct 06, 2024 4:42 am
by Shane1145
An organization has the ability to invite external participants not belonging to their organization to a bug report. The invited user is sees partial data and metadata of a bug in the UI after they accept the invitation. However, in this case I have discovered a way that will make a participant view more data that what is allowed. The data consists of program profile picture, twitter handle, website, about and the asset details to which the report belongs.


https://hackerone.com/reports/2580982
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited