【转载】【漏洞分析】Information Disclosure via External Live Chat Service

Hi folks!

嗨,伙计们!

I hope you’re all safe and good. Today’s writeup I explains how I was able to fetch website staffs first names, phone numbers, e-mail address through external live chat service.

我希望你们都平安无事。今天的写作我解释了我是如何通过外部实时聊天服务获取网站工作人员的姓名、电话号码、电子邮件地址的。

I found this vulnerability in HackerOne at a private program. So we can call that program as redacted.com . Firstly, I looked for a live chat service on main domain but I can’t found anything. Then, I registered to website. Now I can see live chat is there. I sent some messages to live chat service. But seems it’s a auto reply chat service. I lost my momentary joy.

我在 HackerOne 的一个私人项目中发现了这个漏洞。所以我们可以把这个程序命名为 recated.com。首先,我在主域名上寻找一个在线聊天服务,但是我找不到任何东西。然后,我注册了一个网站。现在我可以看到在线聊天是有的。我发了一些消息到在线聊天服务。但它似乎是一个自动回复聊天服务。我失去了瞬间的快乐。

After I finished my research on main domain, I started to examine request history in Burp Suite. I saw a https://api.redactedchatservice.com/restapi/v1/team/user/members?access-token=jwttokenrequest.

在完成了对主域的研究之后,我开始检查 Burp Suite 中的请求历史。我看到了一个 https://api.redactedchatservice.com/restapi/v1/team/user/members?access-token=jwttokenrequest。

Well, probably I found 298 phone numbers of live support agents!

也许我找到了298个现场支援人员的电话号码!

Then I checked a phone number’s WhatsApp account to verify if it was a physical (real) sim card. Yes! That phone number have a WhatsApp acount, so it’s a physical phone number. And then I immediately reported it.

然后我检查了一个电话号码的 WhatsApp 账户,以确认这是否是一张实体的(真实的) sim 卡。太好了!这个电话号码有一个 WhatsApp 账号,所以它是一个实体电话号码。然后我立刻报告了这件事。

Report Timeline

报告时间表

  • Submitted on July 2, 2021 2021年7月2日提交
  • Fixed on July 6, 2021 2021年7月6日固定
  • $$$ bounty awarded on July 20, 2021 as Medium severity. 二○二一年七月二十日颁发中等严重程度港币奖金
My react after report triaged 😀 我的反应后报告分类: d

Thanks for reading my first writeup. Happy to share this find with you all. If you found anything interesting feel free to share. DM me on Twitter if you have any queries. Stay home and stay safe! ♥

感谢阅读我的第一篇文章。很高兴与大家分享这一发现。如果你发现任何有趣的东西,请随时分享。如果你有任何疑问,可以在推特上给我留言。呆在家里,注意安全!别忘了