I do a lot of vulnerability disclosures, and these are mostly fire-and-forget. Trying to list them down here, with the type of vulnerability found, and a writeup if I ever did one.
PII Leak, Authentication Bypass
Profile URLs were top-level, and thus could take over critical paths, such as /robots.txt.
Fixed: https://github.com/fossunited/fossunited/issues/424
Broken Access Control, PII Exposure. Fixed (I haven’t validated it).
PII leak.
Since I never got a response from them, after multiple follow-ups, here’s the PoC:
curl --request GET \
--url 'https://wzrkt.com/e?e=Zm9hegMJCAZkaE16YWtrfAoDAQJvRWB7ZWtifwEALkQlOyA%2FPzQzZVdIRXQwKD0tMighZVFfXA%3D%3D&d=N4IglgJiBcIEoGk4FoCcqBayMIKwZABoQBXAOwGcSAjAcQCcB7EgBwpgG0BdAXyA'
It leaks PII of the campaign manager running the campaign.
Broken Access Control, Buckets were public, I could login as any user. Zero Authorization checks.
Leher is a now-dead short-video platform, so I can perhaps write about it some day.
Their IDE platform was running a vulnerable version of code-server. Kept in waiting for a few months, no idea if it was ever updated.
Reported a production server returning stack-traces. Fixed.
Reported a production server returning stack-traces. No reply.
UIDAI was running a vulnerable versionf of LifeRay. Reported at https://captnemo.in/blog/2018/09/15/aadhaar-disclosure/
Juggernaut (an Indian publishing house, now owned by Airtel) had a bug in their Access Control allowing anyone to download the Encrypted copies (and the decryption keys) for any book on their website.
There was also a CORS issue, and a staging server returning stack-traces.
Juggernaut no longer supports the web as a reading platform, so I consider this fixed.
Experian India’s Credit Card Reports include a encrypted PDF which is encrypted with an easily-bruteforced password since it is generated based on the timestamp.
Reported, but no reply.
An (now) unmaintained open-soure CI platform. I reported a security-defaults issue along with insecure password storage in MD5. Both were promptly fixed.
I reported an insecure client-side password hashing - it does some custom wrapping because Ubooquity can be deployed without TLS.