Sensitive Data Exposure

Greetings!!! Hello Fellow Researchers, hope you are doing well and taking care of your health in this pandemic situation, my name is Mosin Khan. In this write up I am about to tell you how I saw Sensitive information on a Reset password page. I don’t have permission to disclose target information so, let’s call it It was a normal website. To create an account it required a unique Username. I registered it successfully. I visited the forget password page, I clicked on forgot password and noticed that this website used the password reset functionality based on Username which was being used to fetch the email address and send the link, but we don’t need to check the link because our topic is sensitive data exposure As shown in the above screenshot, we captured the request with burp suite which was sending a POST request to the server along with the following account details: Email address, Phone no Name of the registered user As you can see in the above analysis shown that the above-mentioned sensitive details about the user were being sent unnecessarily causing sensitive data to be exposed. You can change the username and you can get sensitive data information such as the mobile number and email of another user very easily Hope the Blog helped you in gaining something informative. Read More: On-Demand Mobile App Thank you! AUTHOR MOSIN KHAN WEB APPLICATION SECURITY INTERN

Table of Contents

Social Media