Task Description
I have identified a Credential Dump that allows unauthorized access to over 6000+ valid user credentials of Alwaysdata.com. This discovery was made in accordance with the Alwaysdata Bug Bounty Program guidelines. I am reporting this issue to ensure the security and privacy of Alwaysdata's users and to assist in prompt remediation.
Sensitive Data at Risk:
The data exposure includes, but is not limited to, vendor and client details, Personally Identifiable Information (PII), Social Security Numbers, medical and financial records, and crucial authentication credentials.
Impact
If exploited by a malicious actor, this vulnerability could lead to:
-Unauthorized access to user accounts. -Potential compromise of sensitive personal and financial data. -Secondary attacks using the obtained credentials (credential stuffing, phishing, etc.). -Damage to the reputation and trustworthiness of the Alwaysdata platform.
Given the scale of the data exposure (6000+ user credentials), the impact is considered highly critical.
Steps to Reproduce :
To access and reproduce the findings related to the data leak, please follow this link: https://phonebook.cz/. It is important to note that an Academia account is required to view the full extent of the data dump. This platform was where I initially discovered the leak of valid credentials.
For your convenience,I've completed the data compilation myself and attached screenshots that capture key aspects of the data leak. Please find below,The attached document containing direct links to the accounts, along with their corresponding emails and passwords. This information was extracted through a manual process, and I've managed to identify at least 30 potential accounts, reviewing their Personally Identifiable Information (PII) among other data.These images should provide a clearer understanding of the issue and assist in verifying the vulnerability.
Proof of Concept I have attached POC for your reference.I was only able to attach 5 files. If possible,kindly guide me so I can attach more POC's
Remediation Suggestions
To address this vulnerability, I suggest the following immediate and long-term remediation steps: Revoking current exposed credentials and enforcing a password reset for affected users. Implementing stricter access controls and regular security audits to prevent similar vulnerabilities.
Confidentiality Agreement
I understand the sensitive nature of this report and agree to keep the details confidential until Alwaysdata has resolved the issue and agreed to disclosure, as per the bug bounty program's guidelines.
I look forward to your prompt response and am willing to provide any further information required for the resolution of this issue.Though the leaked credentials might originate from another application or service,they are your Users and I believe,it is your call to protect the privacy and data of your users.I would greatly appreciate your team's consideration of rewarding this finding, even if it falls outside the typical scope of your program. Thank you for your commitment to security and the opportunity to contribute to the safety of the Alwaysdata platform.
Regards, Bad_Script3r Would really appreciate if you could revert on my Email (akhilsocials@gmail.com) Thanks and Regards.
|