search

Hiring Platform Exposing Thousands of User's Data

This page contains information regarding vulnerabilities which can lead to data leak of thousands of user's data

hashtag
Introduction

While testing various android applications, I came across an startup which directly connects employee and employers helping organizations to speed up the hiring process using AI/ML.

I've found several vulnerabilities on the platform but this page focus will be on user data exposure.

hashtag
Endpoints

hashtag

HOST
Endpoint
Usage
Comment

prod.vuln-domain.ai

/xxrect/job-service/jobs/comprehensive/recommendation?detailed=true

Get list of job ids and their descriptions

Job ids will be scraped from this endpoint

prod.vuln-domain.ai

/xxrect/job-service/candidates/jobs/<job-id>

Used to retrieve information about a job

Return various other info about recruiter with recruiter id, sendbird id, email, etc.

gibberish.sendbird.com

/v3/group_channels

Used to create channel between recruiter and candidate using respective sendbird ids

returns various user information in metadata which is posted via websocket

circle-info

some endpoints characters are replaced with x

hashtag
Endpoint Issues

  • /xxrect/job-service/jobs/comprehensive/recommendation?detailed=true

Fig 1. Endpoint with job ids

This endpoint is used to collect job ids, which will be used with other endpoints to extract recruiter's information.

  • /xxrect/job-service/candidates/jobs/<job-id>

Fig 2. Endpoint exposing recruiter's details

  • /v3/group_channels

Fig 3. Exposing recruiter's phone number before recruiter accepting to request to share phone number

Recruiter's Phone number and other various ids are being leaked from this endpoint. This endpoint allows user to connect with the recruiter when they initiate the chat. After candidate clicks on chat button a web socket handshake is initiated with the server to send metadata which posts several user information to the server. Similarly, if recruiter has added phone to their account, their meta data is being posted to the server, which is being reflected in this endpoint.

On viewing endpoint name it is clear that it's creating a group which connects users. So is it possible to add more users? If it's possible then attacker would be able to retrieve various sendbird ids info all at onceπŸ˜„.

Fig 4. Fetching multiple users information at once

It worked!! πŸŽ‰

Now, attacker can chain the endpoints then extract all the user information on the application's database leading to data leak.

hashtag
Chaining API Endpoints To Extract User's Information

  • An attacker will use /xxrect/job-service/jobs/comprehensive/recommendation endpoint to get list of job ids.

  • Using /xxrect/job-service/candidates/jobs/<job-id> Endpoint attacker can get recruiter's email address and sendbird id.

  • Once, attacker has collected all the sendbird id. Now, attacker can use /v3/group_channels endpoint to extract recruiter's phone number and other information.

hashtag
Conclusion

Due to improper asset management and excessive data exposure in API, user's data is at risk. Any attacker can use these endpoints to extract various information which can be sold on dark web, advertising agencies, scammers, etc. which will increase cyber crime in the society.

PreviousVulnerabilities in WildNextSecurity Analysis of the Indian Government's Student Assessment Platform

Last updated