About the Write-up:
Greetings everyone, this is Shobhit Kumar Gangwar and today I'm going to share one of my last year's discovery which is quite interesting.This is basically an Information Disclosure which i found on Kormo Jobs App.
Finding Mobile Number Disclosure
This target was a job search portal application owned by Google where applicants can apply for various jobs posted by recruiters around the country.
Now this app had 2 types of recruiter , One had chosen to show their contact information like below.
The other had chosen not to show their contact information publicly.
So after noticing this pattern , I immediately fired up my BurpSuite to analyze the requests and their responses.
And there i found out that even though the numbers were hidden in the UI, they were being returned in the response for every recruiter . Making it a privacy concern .
I immediately reported it to google along with a Video POC ( Link to the Video is attached Below ) and got awarded with a sweet bounty and Hall of Fame
POC Video:
Conclusion:
Just Observe Minor Details