image dsbw
Request Assessment

Extract all users emails end with( @company.com ) with names in DB of Company users



Published il y a 1 semaine

image de Extract all users emails end with( @company.com ) with names in DB of Company users

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Description:

i found a method to get all emails in the company database (cross tenant access) including internal employees in company admin db the method is in 2 steps after login as admin

Affected Parameter / Endpoint: https://admin.company.com/admin/services/user/settings

Proof of Concept:

Step-by-step to reproduce:
  • Step 1: go to this endpoint with PUT request PUT https://admin.company.com/admin/services/user/settings [{"idUser":Here_Company_User_Id,"validToDate":"2023-03-06T00:00:00.000Z","operation":"1"}]
  • Step 2: with intruder you could do this and extract all of them just for prof of concept this is a list of valid ids wich i found : 1, 2, 19, 20, ..., 824050, and you can download the attached file wich you can get more idUsers of @company.com emails
  • Step 3: go tho this endpoint you will get the emails with first and last names admin.company.com/admin/user/settings/userlist?usersWithNoRole=false

Impact:

Mass users sensitive information exfiltration

Severity:

High — Mass users PII information disclosure

  • Timeline :
  • Platform : Intigriti
  • Reported: 05/03/2023
  • Triaged: 07/03/2023
  • Accepted & paid: 07/03/2023
  • Bounty: €1,000

https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
SQL INJECTION, leaking of personal data + server misconfiguration lead to unauthorized access

Description: in one of the earlier target that i hunted in before, after the recon step, i found an interesting service...

Read More →
Blog Image
BROKEN ACCESS CONTROL lead to leak all users sensitive data in Company database, including emails

Description: BROKEN ACCESS CONTROL lead to leak all users sensitive data in company database, including emails in compa...

Read More →
Blog Image
IDOR Get any Customer all invoices

Description: Broken access control IDOR lead to get all invoices for any customer Affected Parameter / Endpoint: https...

Read More →