dev-secure-code-warrior-pilot[bot]
commented
3 years ago Micro-Learning Topic: Information disclosure (Detected by phrase)
Matched on "Information Disclosure"
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Summary: I have found an IDOR on HackerOne feedback review functionality, below are the following issues. Security teams can create public feedback to the hacker which is did not submit any report to them, please note that public feedback will be seen on hackers profile. Information Disclosure, the hacker will be able to see the private feedback and the report title that will be sent to his email even that is not his report title. Lets focus on the first one which have direct security risk to all hackers, because it can be used to downgrade their profile reputations using the "What Programs Say" Description (Include impact): A malicious user can create a public review to any hackers that he wants using the IDOR on hacker review functionality, the public review will be displayed on the hackers profile, therefor if the malicious person creates a disgusting review, all hackerone users can see that on victims user profile "What Programs Say", and may downgrade the users profile reputation.