- Status Closed
-
Assigned To
cbay - Private
Opened by Cyberheroes1010 - 21.03.2025
Last edited by cbay - 21.03.2025
FS#141 - User PII Information Leaked In Report
Reported by: Vikash Gupta
Severity Level: Critical
Status: Pending Review
Priority: High
Overview
A Personal Identifiable Information (PII) exposure vulnerability allows unauthorized access to sensitive user data, including names, email addresses, phone numbers, and other personal details. This flaw puts user privacy at risk and may lead to identity theft, phishing attacks, and legal compliance violations.
Vulnerability Details
Feature Affected: User Data Storage & Retrieval Vulnerability Type: PII Information Disclosure Description: Due to misconfigured access controls, insecure API responses, or improper data exposure, sensitive user data is accessible to unauthorized users. Attackers can extract PII from API endpoints, public web pages, or logs without authentication. The leaked information may include full names, email addresses, phone numbers, addresses, or other personally identifiable data.
Step to reproduced :-
Dear alwaysdata.com Team
Sir I'm Vikash Gupta & I'm Security Researcher. I found { User PII Information Leaked } Vulnerability in Your Website.
Vulnerable URL :- https://security.alwaysdata.com/task/137
STEP TO REPRODUCED :-
1- Go to Vulnerable Url :- https://security.alwaysdata.com/task/137 2- Scroll Down & You see {User Paypal ID is Leaked in Report}
3- Fix It Immediately.
BOOOOM! I hope You fixed this issue quickly.
Impact Assessment
Security Risks: Identity Theft: Exposed PII can be used for fraudulent activities. Phishing & Social Engineering Attacks: Attackers can craft targeted scams using leaked data. Financial Risks: Exposed financial details can lead to fraud or unauthorized transactions.
Business & Compliance Risks: Violation of Data Protection Laws: Non-compliance with GDPR, CCPA, and other data privacy regulations may lead to legal actions. Loss of User Trust: Users may lose confidence in the platform’s security. Reputation Damage: Public exposure of this issue can harm the company’s brand and credibility.
Proposed Solution
Implement Proper Access Controls: Restrict access to PII data using role-based access control (RBAC). Ensure only authorized users can access sensitive information.
Secure API & Web Responses: Remove PII exposure in API responses unless explicitly required. Mask or encrypt sensitive data in logs and responses.
Regular Security Audits & Compliance Checks: Conduct frequent security assessments to detect and fix data leaks. Ensure compliance with data protection laws and industry security standards.
Conclusion
This PII data exposure vulnerability poses a critical security risk, allowing attackers to steal personal user information. Implementing access controls, API security measures, and regular audits is necessary to protect user privacy and prevent legal risks.
Reported by: Vikash Gupta
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
[dd](bing.com)
Hello,
The aforementioned report was written by someone and we didn't ask them to provide their email/PayPal account. There's no vulnerability on our side.
Kind regards,
Cyril