Staff Information Disclosure on Support Ticketing System ($x,xxx)

Hi Guys,

So now i want to share my writes up how i got P2 and rewarded $x,xxx on private program so lets start.

What is Support Ticketing System?
Tickets can come from a variety of channels, such as social media, live chat or messaging, email, or the customer support portal that you have set up on your company’s website.

An omnichannel approach to customer service enables companies to streamline their ticket workflows by organizing requests from all your channels and bringing them to one comprehensive dashboard. Omnichannel ticketing systems allow queries from any channel, and support ticket systems give visibility into customer conversations across the organization, allowing the support team to collaborate to solve queries or pull relevant insights from tickets.

How i found this bug?
so first i im looking for information disclosure since i like hunting vulnerability on api and i see the “support ticket” in the side bar navigation and i try to open and issue.

i open issue with no description so i only wait to reply one of the their staff

but i view to the response my private info was return in api so means they can see my personal info but in my mind thats ok since they part of organization.

after i day when im trying to find bug again the “burp suite” detect email address disclosed.

in the issues burp suite dected “email address disclosed

in the issues of email address disclosed in path “/api/***/tickets” burp suite get 2 emails 1 is my email and the second email is the staff email’s

me:

so i look in the response but not only emails that has been disclosed.

reply of their staff

in the response we can see the date of account created, email,cellphone number,2FA pin,IPaddress, etc…

Timeline Review
Dec 18, 2020 (initials report)
Dec 20, 2020 (Triaged)
Dec 20, 2020 (Fixed)
Jan 22, 2021 (Bounty Awarded)

Be Happy :)