+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-04-01 (/Thread-HackerOne-Disclosed-Reports-2025-04-01)
HackerOne disclosed reports - 2025-04-01 - hashXploiter - 04-02-2025
Critical
resolved
resolved
The /reports/:id.json endpoint discloses potentially sensitive user attributes when reporter summary is present
Bug reported by Avinash Kumar was disclosed at April 1, 2025, 6:23 pm | Information Disclosure
The /reports/:id.json endpoint disclosed potentially sensitive user attributes, including the reporter's email, OTP backup codes, phone number, graphql_secret_token, and t-shirt size when a reporter summary was present.