Zig_sharkH1:2418210Doppler: Acquisition on broken link listed on the page "https://docs.doppler.com/docs/removal-deprecated-packages-scripts in [scheduling a call]
7 High
AI Score
Confidence
Low
Summary:
Docs doppler has an unclaimed broken link on its doc page which can be claimed by any malicious user.
Steps to reproduce:
1.Visit https://docs.doppler.com/docs/removal-deprecated-packages-scripts
2.Click on scheduling a call.
{F3122702}
- The scheduling a call page points to https://calendly.com/doppler-ryan/onsite-install , but the URL gives 404.
4.So, I impersonated his identity by forming a fake account called βPage Acquisition by Joao Gomesβ at this link. Here, just for PoC purposes, I assumed the broken link by creating an account with this name doppler-ryan
{F3122718}
Reference: https://hackerone.com/reports/2399386
{F3122743}
Impact
The product violates well-established principles for safe design.
A malicious user can create a fake account on that broken redirect link and trick users who arrive at that link.
7 High
AI Score
Confidence
Low