Andrea Scarpino - Sharing your loan details to anyone
A week ago, I blogged about a vulnerability in a platform that would allow anyone to download users’ amortisation schedules. This was a critical issue, but it wasn’t really exploitable in the wild as it included a part where you had to guess the name of the document to download.
I no longer trust that platform so I went to their website to remove my loan data from it, but apparently this isn’t possibile via the UI.
So I went to their website with the intention of replacing the data with a fake one… but there was no longer an edit button!
However, the platform is based on Magento and so, starting from the current URL, we can easily guess the edit URL, e.g. https://<host>/anagraficamutui/mutuo/edit/id/<n>.
Even though it’s a dummy page, we can already see the details of the loan such as the (hopefully) fake IBAN, or the loan import and loan number and even the bank contact person name and email address.
And now take a look at this: if I try to access that page in private mode, then I get the login page. All (almost) well, right?
