Written by Ted Mathew dela Cruz
on January 7, 2025

Leaking employee emails at a large corporation for $250

Revisiting some of my old reports at HackerOne. This particular report dates back October 2022—one of my first paid bounties. And surprisingly it’s not even a very technical one.

A reputable games and entertainment platform in the Philippines, [redacted].com, sent me an invitation to hack through HackerOne.

Here’s how I managed to find an information disclosure vulnerability at one of their domains by simply manually visiting /api/users/.

Asset Discovery

As always, my first step is to enumerate the known subdomains of [redacted].com, and my favorite tool for that is subfinder. I ran subfinder and piped the results into a text file named subdomains.txt:

subfinder -d [redacted].com | tee subdomains.txt

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/

                projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for [redacted].com
connect.[redacted].com
shuffle.game.[redacted].com
...
paas.bk.test.[redacted].com
version.common.[redacted].com
[INF] Found 1247 subdomains for [redacted].com in 33 seconds 662 milliseconds

Not all of these subdomains are live, so I probe these for live web servers using httpx. At this point, I only care about web servers that return HTTP 200 OK. To proceed, I simply pipe the stdout of subdomains.txt using cat into httpx and match only live web servers like so:

cat subdomains.txt | httpx -mc 200 -o http.txt

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              

                projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://msdk.[redacted].com
https://ks.msdk.[redacted].com
...
https://auth.[redacted].com

Now, I have a text file named http.txt containing hundreds of live subdomains of [redacted].com. Now comes the hard part — manually testing each one.

Manual Testing

I stumbled upon this interesting subdomain: translate.[redacted].com. Looking at its functionality, it allows for cross-region teams and outsourced staff to log in and assist in translation efforts at [redacted].com.

The site allows anyone to log in with any Google account. I logged in with my personal account and played around while proxying my network requests through Burp Suite.

One of the network requests stood out for me: /api/users/<id>/projects/. Interesting—there’s no way that manually accessing /api/users/ would give me a list of users, right?

users endpoint

…Right?

Turns out accessing GET /api/users/ reveals 3,900 internal emails of [redacted].com including employee and contractor emails.

I write a detailed report and submitted it through HackerOne. A month later, I receive a reply:

reward

Not a mindblowing amount of money, but good enough for the effort involved!

Takeaways

Manually inspecting assets is always the way to go
Even if it sounds stupid, try it anyway—even if it’s a hardened target

← → Top