Sensitive Info Leak in Curve App [Bug Bounty]

Sensitive Info Leak in Curve App [Bug Bounty]

Hi, Am gonna share one of my recent findings in bug bounty (This issue was already fixed)

While performing recon on Curve program instead of concentrating on .apk or .ipa of Curve app, I have focused on web apps which is a completely static site. Even though I tried to perform recon on the website.

The tools which are used are:
- Burp Suite
- JS Link Finder (Burp Extension)

Firstly I have crawled through out the website by enabling Burp JSLinkFinder extension and gathered all the paths, links from the tool output. I tried to hit all the links/paths from JSLinkFinder one by one and found two interesting endpoints "/credit?rc=" and "/usa?rc=". These two endpoints are no where available on the website UI level.  

Basically there are two functionalities in these two endpoints, "Join Waitlist" & "Track Position".

You can submit your waitlist by entering your name, email, mobile number and ZIP code.

After submit your details you can track your application position by entering your email ID at "Track Position"

After entering your email address then application responds with your application position number. Observe here that there are no PII information shown on the website UI. There is only position number.

So I've decided to test this endpoint where I guessed that there might be a chance of sensitive information leak.

Below are the steps to reproduce:

  • Navigate to https://curve.com/usa and click on "Track Position"
  • Enter any email address and click on "Submit"
  • Make sure to intercept the request using Burp intercept
  • You'll be presented with the below vulnerable request

Request:

POST /api/waitlist/us HTTP/1.1
Host: website-api.production.curve.app
Connection: close
Content-Length: 30
Accept: application/json, text/plain, /
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://www.curve.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.curve.com/credit?rc=
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

{"email":"xxxxxxxxx@gmail.com"}

  • Now send the above vulnerable request to Burp intruder and brute force the email parameter
  • You'll now be able to retrieve all the waitlisted users mobile numbers, ID's, address and other sensitive information in the response.

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 268
Connection: close
access-control-allow-origin: *
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
etag: W/"10c-Qj52/PIteKYG+1CbKaOCNpKyiDo"
date: Fri, 19 Jun 2020 09:41:26 GMT
x-envoy-upstream-service-time: 3
x-envoy-peer-metadata: [REDACTED]
x-envoy-peer-metadata-id: sidecar~10.0.152.201~website-api-7d974f5475-dtng8.production~production.svc.cluster.local
server: envoy
X-Cache: Miss from cloudfront
Via: 1.1 1671dd64160321b1f8979341944a5b14.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: MAA50-C2
X-Amz-Cf-Id: kUgxzRYYQ9rJw0zP7oR4PnDz6Rz4bCc6r30M25JrfmOyzp_xuMEHyA==

{"_id":"5eec6b1a958666b5141063e3","name":"Cxvvc","email":"xxxxxxxxx@gmail.com","phoneNumber":"7XXXXXXXXX","zipcode":"10001","position":4379,"referralCode":"BCeE8mzI","createdAt":"2020-06-19T07:36:58.460Z","updatedAt":"2020-06-19T07:36:58.460Z","__v":0,"status":"EXIST"}

Also tried for the other endpoint i.e., "/credit?rc=" but NO LUCK, where in the response it only gives you the position number and dates but no PII info.

This issue was marked as "Medium" severity and rewarded $1500.

Hope you like this write up :)

Show Comments