FirstBlood-#281 — Hackerback Event Details Along with Attendee's Personal Information Exposed to Public
This issue was discovered on FirstBlood v1
On 2021-05-15, netmous3 Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description:
Current and previous hackerback event information's along with the attendee's personal information was exposed to the public. The vulnerable endpoint did not employ any of the authentication mechanisms before releasing that information.
Steps To Reproduce:
- Create a GET request to the vulnerable endpoint while adding an extra header value as below.
X-SITE-REQ: permitted
- Observe the hackerback event details in the response.
- Use both event id values (560700 and 560720) with query parameters to retrieve both old and current event details.
Impact:
The company could face a financial losses and credibility losses due to a patient's PII leak.
Further, there could be lawsuits against the company issued by the victims of data leak. Requests for damages, if the institution’s irresponsibility for information security is proven, will not only cause financial losses and irreversible corporate reputation, but will also mark the business in court.
P1 CRITICAL
Endpoint: /attendees/event.php?
Parameter: q
Payload: 560700 and 560720
FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure
/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.