This page contains information regarding vulnerabilities which can lead to data leak of thousands of user's data
Last updated
While testing various android applications, I came across an startup which directly connects employee and employers helping organizations to speed up the hiring process using AI/ML.
I've found several vulnerabilities on the platform but this page focus will be on user data exposure.
prod.vuln-domain.ai
/xxrect/job-service/jobs/comprehensive/recommendation?detailed=true
Get list of job ids and their descriptions
Job ids will be scraped from this endpoint
prod.vuln-domain.ai
/xxrect/job-service/candidates/jobs/<job-id>
Used to retrieve information about a job
Return various other info about recruiter with recruiter id, sendbird id, email, etc.
gibberish.sendbird.com
/v3/group_channels
Used to create channel between recruiter and candidate using respective sendbird ids
returns various user information in metadata which is posted via websocket
some endpoints characters are replaced with x
/xxrect/job-service/jobs/comprehensive/recommendation?detailed=true
This endpoint is used to collect job ids, which will be used with other endpoints to extract recruiter's information.
/xxrect/job-service/candidates/jobs/<job-id>
/v3/group_channels
Recruiter's Phone number and other various ids are being leaked from this endpoint. This endpoint allows user to connect with the recruiter when they initiate the chat. After candidate clicks on chat button a web socket handshake is initiated with the server to send metadata which posts several user information to the server. Similarly, if recruiter has added phone to their account, their meta data is being posted to the server, which is being reflected in this endpoint.
On viewing endpoint name it is clear that it's creating a group which connects users. So is it possible to add more users? If it's possible then attacker would be able to retrieve various sendbird ids info all at onceπ.
It worked!! π
Now, attacker can chain the endpoints then extract all the user information on the application's database leading to data leak.
An attacker will use /xxrect/job-service/jobs/comprehensive/recommendation endpoint to get list of job ids.
Using /xxrect/job-service/candidates/jobs/<job-id> Endpoint attacker can get recruiter's email address and sendbird id.
Once, attacker has collected all the sendbird id. Now, attacker can use /v3/group_channels endpoint to extract recruiter's phone number and other information.
Due to improper asset management and excessive data exposure in API, user's data is at risk. Any attacker can use these endpoints to extract various information which can be sold on dark web, advertising agencies, scammers, etc. which will increase cyber crime in the society.
