#BugBounty — ” Your details are saved into my account”-User info disclosure Vulnerability in Practo (India’s biggest healthcare app)
This blog is about the vulnerability I managed to found out in India’s biggest healthcare app -Practo. Let’s see what was the complete scenario —
The first part in bug hunting is always information gathering and there comes subdomain enumeration. Personally for this part , I always prefer sublister ( https://github.com/aboul3la/Sublist3r ) and so I started it and found the following sub domain “ray.practo.com” . Below tells a small summary of what does this web application meant to do-
Practo Ray is a doctor software which simplifies practice management for doctors and clinics. Using Practo Ray software, doctors can schedule appointments, access digital health records, generate printed bills and prescriptions and access clinic and patients analytics.
In this , there was a functionality by which an user can send sms to his added users/patients/staff where he has to provide concerned contact number.
Now when I tried sending a sms to the newly added contact number, the below HTTP request got triggered —
and yes you saw it right , I smelled an IDOR here (but). Though, in this by changing the patients id or staff id (which comes to be incremental), I was able to send sms to the linked user mobile number but the HTTP response put everything in vain as I couldn’t see any user details :|
And with some disappointment , I went back to my account dashboard , refreshed it to see this :D -
I could see particular user got added to my account as a result of that parameter manipulation and then I did some more bruteforcing over the vulnerable parameter and below are the details of some other users—
And this is how I was able to access and save anyone’s details into my account.
P.S.- Yes, IDOR is simple but impact is always worth exploiting. :)
14-Dec-2017 — Bug reported to the concerned company.
14-Dec-2017 — Bug was marked fixed.
20-Dec-2017 — Re-tested and confirmed the fix.
27-Dec-2017 — Rewarded by company.
Thanks for reading!
~Logicbomb ( https://twitter.com/logicbomb_1 )