Sensitive Data Exposure or Password Disclosure in H1C Private site

Hello Friends,
Recently, I found a critical bug in private site which discloses all sensitive data or information of users.

The bug exist in forgot password page. I just enter my email in forgot password page and try to reset the password and the site discloses all information of my account in response.While resetting, I just Intercept the request through Burp and send to repeater and change my email to any registered user email and click on 'Go'. In response, site discloses user sensitive information like phone number etc. along with a password in Sha256 hash.
Also, we don't need to decrypt the password hash we can directly use password hash by modifying the requests.
Always check forgot password page or forgot password functionality for vulnerabilities. You'll get the idea.
Thanks for reading.
Nice sharing 👍
ReplyDeleteThanks
Delete