Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKhizer47H1:1766228
HistoryNov 08, 2022 - 11:12 a.m.

AMBER AI: Support Portal Takeover via Leaked API KEY

2022-11-0811:12:20
khizer47
hackerone.com
$1500
120
JSON

Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token.
An API key & associated Email was Hardcoded into a JS file linked on the Homepage of www.whalefin.com which gave me full administrator-level access to Amer group Multiple Support Portals and associated Organisations.

This issue was quickly fixed by removing the affected JS file & Updating/Depreciating the Leaked API Key.

JSON