Originally posted : https://aseemshrey.in/abusing-report-abuse/

One fine day, I was invited to another private program, this being a foreign financial institution kind of company. I don’t always invest time in foreign fintech companies because in most of the cases the setup itself requires a verified account and for that you need to submit some verification document and which I don’t have for that country.

However, this time since I hadn’t done any bug hunting for past couple of months, I thought of dabbling with this. I spent a couple of hours not finding anything, coming back to it after a few hours.

This company also had a forum for discussion. I checked for XSS and some other common things but didn’t find any. The posts in the forum went through a moderation queue.

Later on I tried fiddling with the features in the forum. There was a ‘report abuse’ functionality for each of the post on the forum.

Report Abuse Leaking Post not yet posted

Above screenshot is of a post that I created and then reported abuse for, it wasn’t yet available on the forum but an attacker could still see it’s contents because of ‘report abuse’.


Now to verify the bug I created another account and using the report id I sent a ‘report abuse’ request and yeah I could see the post that wasn’t yet posted. Now all I had to do was iterate over the post id, which was conveniently enough, incremental and thus I could see posts which weren’t yet posted.
Now, since this was a financial forum, if someone posted something important financially, which the moderators didn’t approve ( because it was leaking sensitive data ), an attacker could see those.


Hope this was worth your time, do checkout my youtube channel : HackingSimplified , I post videos every weekend.

YouTube channel : HackingSimplified

Checkout the latest video from the channel :

Join the ‘HackingSimplified’ community, share, discuss, learn and grow. I post 3–4 article related to bug bounty and general cybersecurity daily here.

Discord : https://discord.gg/bGyvctT

Join the subreddit here : HackingSimplified

Telegram here : HackingSimplified

Twitter : @AseemShrey

Thanks for reading :)

Security Engineer @Gojek | Teaches CyberSecurity — HackingSimplified | CTF player with NULLKrypt3rs | Web App Exploitation and Reverse Engineering Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store