RactiurdH1:2055081Mars: Google dork lead to unsubscribe anyone from all Banfield emails
Summary:
Hi there,
while checking on shodan i found an ip “13.111.140.217” which was issued to info.banfield.com.
and this was giving me 404 status code. while checking on web archive i found out some link like:
when i did a google search i found out the endpoint for unsubscribe where i can unsubscribe any banfield users from their email without authentication and authorization.
endpoint: https://info.banfield.com/unsub?EmailAddress=█████████
Steps To Reproduce:
[add details for how we can reproduce the issue]
- do a google dork site:info.banfield.com
1.click on second link and it will direct you to https://info.banfield.com/unsub?EmailAddress=████████ - put authenticated user email and confirm. This will lead to unsubscribe them from banfield emails.
For user enum or email enum this can be done from
POST /Security/SendClientIdMail HTTP/2
Host: www.banfield.com
Cookie: ███████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.banfield.com/
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 159
Origin: https://www.banfield.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
__RequestVerificationToken=qBYfU3x7qqHqWdyKBzxZxsmqgsz2EDemFmpfyys2agu6FhVHrRQ_v2p7n40f7N46t3a9n51kgkkxQJN2qrNEX0JLMYo1&email=█████████&returnUrl=
On this there is no rate limit so email enum can be done.
Supporting Material/References:
██████████
- [attachment / reference]
I added screen shot as a proof of concepts.
Thank you very much. Wish you a good day.
Impact
Can unsubscribe anyone from all Banfield emails