Others are quiet.

They don't announce themselves. They don't need payloads. They just sit there… waiting for the wrong person to open them.

This is the story of one of those silent vulnerabilities — a publicly accessible log directory on a production API belonging to DTDC.

And inside it? Log files containing nearly one gigabyte of internal system data.

Sometimes the simplest bugs have the loudest impact.

🔍 The Unexpected Discovery

I was testing one of DTDC's utility APIs as part of their bug bounty program. The target was:

https://[REDACTED]/log/

At first glance, it looked like an endpoint that shouldn't exist. So I opened it in my browser… and instantly froze.

A full directory listing appeared:

  • error.log14 MB
  • requests.log918 MB

Both downloadable. Both publicly accessible. Both completely exposed.

This wasn't just a stray file — this was the full record of what the application had been doing for months.

📜 What These Log Files Can Reveal

Log files are like diaries — they tell the story of everything the system has done, everything that succeeded, and everything that broke.

And when they're exposed publicly, they become a security risk for very simple reasons:

🔹 1. Internal Error Messages

error.log often contains:

  • stack traces
  • server paths
  • database queries
  • framework versions
  • sensitive debug comments

Attackers love these details; they help craft highly precise attacks.

🔹 2. User Requests

The requests.log file, nearly 1 GB, can include:

  • full API requests
  • bearer tokens
  • API keys
  • session identifiers