1/ I've been in this bug bounty program for quite some time.
I previously bought a phone plan so I could login and test functionality as an authenticated user.
In the dashboard, there was a tab to view your call logs.
2/ The URL contained a parameter called "subscriberId".
It contained a numerical ID, so obviously I tried to change it to another users.
Unfortunately, it didn't work.
3/ After spidering the site with Burp, I eventually came across an old Javascript file.
This javascript contained a reference to a JSP file with a name that indicated similar functionality:
"/myaccount/modals/view_call_log_details_modal.jsp"
4/ So, I visited the endpoint:
http://xn--4zhaa.com/myaccount/modals/view_call_log_details_modal.jsp███.com/myaccount/moda
The page loaded, and in the response I saw my call logs:
Hm. What happens if I try to change the subscriberId to someone else's here?
5/ I tried again, with another person's ID:
It actually worked.

An incredibly stupid, simple vulnerability affecting 50M+ customers. Insane
6/ I eventually found 5 other similar issues that leaked:
• Customer names, phone numbers
• Payment details (cards, amounts, dates of payments)
• Etc.
I reported them all to their bug bounty program and they duplicated them into one report and eventually fixed the issues.
7/ I'm still blown away that such simple, stupid vulnerabilities exist.
https://x.com/hacker_/status/1596014093302788096…