Originally posted : https://aseemshrey.in/abusing-report-abuse/

One fine day, I was invited to another private program, this being a foreign financial institution kind of company. I don’t always invest time in foreign fintech companies because in most of the cases the setup itself requires a verified account and for that you need to submit some verification document and which I don’t have for that country.

However, this time since I hadn’t done any bug hunting for past couple of months, I thought of dabbling with this. I spent a couple of hours not finding anything, coming back to it after a few hours.

This company also had a forum for discussion. I checked for XSS and some other common things but didn’t find any. The posts in the forum went through a moderation queue.

Later on I tried fiddling with the features in the forum. There was a ‘report abuse’ functionality for each of the post on the forum.

Report Abuse Leaking Post not yet posted

Above screenshot is of a post that I created and then reported abuse for, it wasn’t yet available on the forum but an attacker could still see it’s contents because of ‘report abuse’.

Verification

Now to verify the bug I created another account and using the report id I sent a ‘report abuse’ request and yeah I could see the post that wasn’t yet posted. Now all I had to do was iterate over the post id, which was conveniently enough, incremental and thus I could see posts which weren’t yet posted.
Now, since this was a financial forum, if someone posted something important financially, which the moderators didn’t approve ( because it was leaking sensitive data ), an attacker could see those.

Report

Hope this was worth your time, do checkout my youtube channel : HackingSimplified , I post videos every weekend.

YouTube channel : HackingSimplified

Checkout the latest video from the channel :

Join the ‘HackingSimplified’ community, share, discuss, learn and grow. I post 3–4 article related to bug bounty and general cybersecurity daily here.

Discord : https://discord.gg/bGyvctT

Join the subreddit here : HackingSimplified

Telegram here : HackingSimplified

Twitter : @AseemShrey

Thanks for reading :)

Security Engineer @Gojek | Teaches CyberSecurity — HackingSimplified | CTF player with NULLKrypt3rs | Web App Exploitation and Reverse Engineering Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store