Originally posted : https://aseemshrey.in/abusing-report-abuse/
One fine day, I was invited to another private program, this being a foreign financial institution kind of company. I don’t always invest time in foreign fintech companies because in most of the cases the setup itself requires a verified account and for that you need to submit some verification document and which I don’t have for that country.
However, this time since I hadn’t done any bug hunting for past couple of months, I thought of dabbling with this. I spent a couple of hours not finding anything, coming back to it after a few hours.
This company also had a forum for discussion. I checked for XSS and some other common things but didn’t find any. The posts in the forum went through a moderation queue.
Later on I tried fiddling with the features in the forum. There was a ‘report abuse’ functionality for each of the post on the forum.
Above screenshot is of a post that I created and then reported abuse for, it wasn’t yet available on the forum but an attacker could still see it’s contents because of ‘report abuse’.
Now to verify the bug I created another account and using the report id I sent a ‘report abuse’ request and yeah I could see the post that wasn’t yet posted. Now all I had to do was iterate over the post id, which was conveniently enough, incremental and thus I could see posts which weren’t yet posted.
Now, since this was a financial forum, if someone posted something important financially, which the moderators didn’t approve ( because it was leaking sensitive data ), an attacker could see those.
Hope this was worth your time, do checkout my youtube channel : HackingSimplified , I post videos every weekend.
YouTube channel : HackingSimplified
Checkout the latest video from the channel :
Join the ‘HackingSimplified’ community, share, discuss, learn and grow. I post 3–4 article related to bug bounty and general cybersecurity daily here.
Discord : https://discord.gg/bGyvctT
Join the subreddit here : HackingSimplified
Telegram here : HackingSimplified
Twitter : @AseemShrey
Thanks for reading :)