Hiring Platform Exposing Thousands of User's Data
This page contains information regarding vulnerabilities which can lead to data leak of thousands of user's data
Introduction
While testing various android applications, I came across an startup which directly connects employee and employers helping organizations to speed up the hiring process using AI/ML.
I've found several vulnerabilities on the platform but this page focus will be on user data exposure.
Endpoints
| HOST | Endpoint | Usage | Comment |
|---|---|---|---|
prod.vuln-domain.ai | /xxrect/job-service/jobs/comprehensive/recommendation?detailed=true | Get list of job ids and their descriptions | Job ids will be scraped from this endpoint |
prod.vuln-domain.ai | /xxrect/job-service/candidates/jobs/<job-id> | Used to retrieve information about a job | Return various other info about recruiter with recruiter id, sendbird id, email, etc. |
gibberish.sendbird.com | /v3/group_channels | Used to create channel between recruiter and candidate using respective sendbird ids | returns various user information in metadata which is posted via websocket |
some endpoints characters are replaced with x
Endpoint Issues
/xxrect/job-service/jobs/comprehensive/recommendation?detailed=true
This endpoint is used to collect job ids, which will be used with other endpoints to extract recruiter's information.
/xxrect/job-service/candidates/jobs/<job-id>
/v3/group_channels
Recruiter's Phone number and other various ids are being leaked from this endpoint. This endpoint allows user to connect with the recruiter when they initiate the chat. After candidate clicks on chat button a web socket handshake is initiated with the server to send metadata which posts several user information to the server. Similarly, if recruiter has added phone to their account, their meta data is being posted to the server, which is being reflected in this endpoint.
On viewing endpoint name it is clear that it's creating a group which connects users. So is it possible to add more users? If it's possible then attacker would be able to retrieve various sendbird ids info all at onceπ.
It worked!! π
Now, attacker can chain the endpoints then extract all the user information on the application's database leading to data leak.
Chaining API Endpoints To Extract User's Information
An attacker will use
/xxrect/job-service/jobs/comprehensive/recommendationendpoint to get list of job ids.Using
/xxrect/job-service/candidates/jobs/<job-id>Endpoint attacker can get recruiter's email address and sendbird id.Once, attacker has collected all the sendbird id. Now, attacker can use
/v3/group_channelsendpoint to extract recruiter's phone number and other information.
Conclusion
Due to improper asset management and excessive data exposure in API, user's data is at risk. Any attacker can use these endpoints to extract various information which can be sold on dark web, advertising agencies, scammers, etc. which will increase cyber crime in the society.
Last updated
