FirstBlood-#160Hackerback event attendees information disclosed through /attendees/event.php



On 2021-05-10, 0xblackbird reported:

Hi! I found a little privacy issue on /attendees/event.php. It discloses information about the attendees of the (previous) Hackerback event.

Steps to reproduce

  • Visit /attendees/event.php?q={ID} (Example: ID = 560720) and intercept the request.
  • Send this request to Repeater
  • Manually add the following required request header: X-SITE-REQ: permitted and make the request.
  • In the response, you'll get a lot of information about that event.

Impact

Information is disclosed and can be viewed unauthorised. The ID can also be bruteforced since it's not a big number, only 6 digits.

Kind regards, 0xblackbird

P1 CRITICAL

Endpoint: /attendees/event.php

Parameter: q

Payload: {ID}


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.