- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by hHshamapes - 04.07.2025
Last edited by cbay - 04.07.2025
Opened by hHshamapes - 04.07.2025
Last edited by cbay - 04.07.2025
FS#190 - account takeover via data leak
While performing reconnaissance on your platform, I discovered an endpoint (or publicly accessible resource) that exposes sensitive customer data. This data includes personal information that should not be publicly accessible and poses a serious risk to user privacy and your organization's data security posture.
https://admin.alwaysdata.com/support/87906/ this link contains the bug report
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Please include your complete report here, not in a ticket.
Kind regards,
Cyril
Data Leakage
1.Description
Data Leakage refers to a security or modeling vulnerability
in which sensitive or unintended information is exposed
during the training or operation of a machine learning
model. In many cases, this occurs when the model is trained
using features that are not realistically available at
prediction time, such as future data or outcome-related
information. This can also include unintentional exposure
of confidential business data to third parties through
logging, backups, or API responses.
2. Impact
A data leakage incident can lead to serious consequences:
Security Risks: Leaked customer data (e.g., names, IDs, financial info) can
be used for fraud, identity theft, or targeted phishing attacks.
Model Exploitation: Attackers can analyze exposed model behavior to
bypass fraud detection or manipulate decisions.
Business Loss: Misuse of leaked insights or internal data can result in
financial losses and loss of competitive edge.
Legal Trouble: Violating data privacy laws may lead to lawsuits, heavy
fines, and mandatory public disclosures.
Reputation Damage: Public trust may decline, causing customer churn
and long-term brand harm.
3. POC (Steps to reproduce)
reconnaissance phaseI found a data breach during the
Email: <REDACTED>
Password: <REDACTED>
Email: <REDACTED>
Password: <REDACTED>
This is a credit card found in this data leak
Email: <REDACTED>
Password: <REDACTED>
Email: <REDACTED>
Password: <REDACTED>
Email: <REDACTED>
Password: <REDACTED>
Email: <REDACTED>
Password: <REDACTED>
Thanks For Reviewing,
Some customers do leak their credentials, but it's not a security vulnerability from alwaysdata. There's nothing we can do to prevent a customer from leaking their credentials.