Staff Information Disclosure on Support Ticketing System ($x,xxx)

Hi Guys,

So now i want to share my writes up how i got P2 and rewarded $x,xxx on private program so lets start.

What is Support Ticketing System?
Tickets can come from a variety of channels, such as social media, live chat or messaging, email, or the customer support portal that you have set up on your company’s website.

An omnichannel approach to customer service enables companies to streamline their ticket workflows by organizing requests from all your channels and bringing them to one comprehensive dashboard. Omnichannel ticketing systems allow queries from any channel, and support ticket systems give visibility into customer conversations across the organization, allowing the support team to collaborate to solve queries or pull relevant insights from tickets.

How i found this bug?
so first i im looking for information disclosure since i like hunting vulnerability on api and i see the “support ticket” in the side bar navigation and i try to open and issue.

i open issue with no description so i only wait to reply one of the their staff

but i view to the response my private info was return in api so means they can see my personal info but in my mind thats ok since they part of organization.

after i day when im trying to find bug again the “burp suite” detect email address disclosed.

in the issues burp suite dected “email address disclosed

in the issues of email address disclosed in path “/api/***/tickets” burp suite get 2 emails 1 is my email and the second email is the staff email’s

me:

so i look in the response but not only emails that has been disclosed.

reply of their staff

in the response we can see the date of account created, email,cellphone number,2FA pin,IPaddress, etc…

Timeline Review
Dec 18, 2020 (initials report)
Dec 20, 2020 (Triaged)
Dec 20, 2020 (Fixed)
Jan 22, 2021 (Bounty Awarded)

--

--

--

Be Happy :)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Lucky Now!! Hack Free Resources Generator

Manta Network Parachain Crowdloan

Protecting BAS from Cybersecurity Threats

{UPDATE} 普通的我与非同寻常的朋友 Hack Free Resources Generator

{UPDATE} Pizza Vs. Skeletons Hack Free Resources Generator

{UPDATE} Scriptures For Anxiety Hack Free Resources Generator

Malware Attack Underscores Cyber Threat

Top 9 Internet Safety Tips to Stay Safe

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ph.Hitachi

Ph.Hitachi

Be Happy :)

More from Medium

WebAppSec: Parameter Tampering

An easy bug: The Twitter story

How i got financial advisor by simply hack into their membership plan !

How I was able to takeover accounts in websites deal with Github as a SSO provider