Chaturbate: Blind SSRF on image proxy

ID H1:385178
Type hackerone
Reporter jaykpatel
Modified 2018-09-20T00:05:20


The hacker discovered that our secure image proxy could be used to access http(s) endpoints on internal ips. The application was patched to not allow access to internal ips. In this case these servers are in a separate cluster with no access to other services so possible exploitation was limited.