بسم الله الرحمن الرحيم والحمدلله رب العالمين

this is a replica for a bug that i have found in one of the public programs on hunting platforms.

i have found an api that shows user information, but it requires user-id, which is hard to guess, and the attacker has no permissions to view other users information, the vulnerability is of no use if you don't have users-ids.

this app has some apis that are shown to the no role users, they should be hidden, but the developers decided to hide only the fields that they thought was important enough to hide, leaving the other fields on the apis shown, thinking they have no impact, which they don't on their own, but if you connect enough apis, you get user ids, the idea is as follows:

visit the conversation api, you get the *important* fields such as messages redacted, but the conversation id is shown:

https://thecompany.com/api/conversations?app_id=kes32
None

so you take that and pass it to another api, which is responsible for showing details of the conversation, it takes the id conversation as an argument and returns the conversation as parts:

https://thecompany.com/api/conversation_parts?app_id=kes32&conversation_id=215472329125326
None

again, most fields are redacted, but the conversation part id is not, so you take it, and along with the conversation id, you pass both of them as an argument to a third api, this one returns information about the users who are participated in the conversation:

https://thecompany.com/api/cono/participants/part?app_id=inb2cbf4&conversation_id=215472329125326&conversation_part_id=35744473846:
None

the user id is in this api, so you pass it to users api and you get information disclosure:

https://thecompany.com/api/users/693ac1b36e625439089c5e3d?app_id=kes32
None