Glints is a job search platform based in Singapore, and they just got a 20M investment last year, they have a team in Taiwan as well.
In July 2021, I found Glints bug bounty program so I spent some time on it, and I found 4 vulnerabilities in total in the end.
The vulnerabilities I found could have:
- Stole every applicant's personal information, including name, phone, birthday, resume, and email
- Stole every recruiter's personal information, including name, job title, team name, and email
In other words, the attacker can steal all users' information by exploiting the vulnerabilities.
Let's see what it is.
# 1. Job application IDOR leads to user information exposure
There are two roles at Glints: employee and employer. For now, anyone can create an employer account, but still need to do the verification when posting new jobs.
For sure, there is a portal for the employer to manage jobs and candidates:
Here is the API for checking job applications:
Part of API response：
In the response, there are applicant's name, email, phone and resume file name.
After seeing the API URL, I did one thing which all pentesters will do: change
JobId to another one which belongs to another company, and to my surprise, it works:
We can find
JobId easily because it's public, we can find it in the URL like this：https://glints.com/tw/opportunities/jobs/consultant/55e137a1-f96e-4720-9b08-7eb2749e1557
If I were an attacker, I can write a script to fetch all the job ids from Glints, and exploit the vulnerability to get all personal data from all applicants.
Glints fixed the vulnerability by checking
JobId and implementing correct access control.
# 2. RSS feature IDOR leads to user information exposure
Glints has a "RSS feed" feature to let users connect to Slack or other services:
There are the applicant's name, email, and resume in the response:
Here is the RSS feed url:
To forge the URL, we need the correct RSS_ID for the specific job and user id as well. It's easy to get user id because company information is public, but how about RSS_ID?
I found that there is an API for getting jobs from certain companies:
I guessed they used a Node.js ORM called Sequelize in back-end because I am familiar with this library and I found that the naming convention for query string is similar to it.
Then, I tried to add a few parameters but most of them did not work, except for one important parameter: attributes.
This field decides what to return from Sequelize, for example,
attributes=id means it returns id field only in the response. So, I put
rssId in the attribute field, and it works:
By sending this parameter, we can get job id, rss id, and company owner's id, then we can query RSS feed to get all applicant's data.
Glints remove this feature entirely because of low usage.
# 3. User information exposure
For vulnerability #1 and #2, only employer accounts can exploit it. But for this one, anyone can.
After registering an account on Glints, you will have a user id and a public profile page, like this:https://glints.com/tw/profile/public/44007523-f7a8-411d-b2c4-57c68a976534
44007523-f7a8-411d-b2c4-57c68a976534 is my user id which is also shown on the URL.
There is another API for getting user profile: https://glints.com/api/publicProfiles/44007523-f7a8-411d-b2c4-57c68a976534
Sensitive information has already been filtered, like phone and email. But, one column has been forgotten: resume. Resume field represents file name only, like
badf34128adefqcxsq.pdf, and Glints stores all the resumes in the same place, the URL rule is: https://glints-dashboard.s3.ap-southeast-1.amazonaws.com/resume/xxxxx.pdf
In other words, by just knowing the file name of the resume, we can download the file directly. If I know someone's user id, I can get their resume by exploiting the API we just mentioned, and it usually contains personal data like email, phone, even address.
Now, how do we find a bunch of user id?
We can do it by google hacking!
Because all the public profile page has the same URL pattern, google this keyword can help you to find a lot of user profile page and user id:
inurl:profile/public site:glints.com. Then, we use these user ids to get their resume.
Glints remove sensitive fields like resume from the response.
# 4. Recruiter information exposure
By far, we talked about the vulnerabilities of employees only, let's see a different vulnerability.
I scanned the subdomain of glints.com and found an interesting page: https://superpowered.glints.com/
It requires a Google account with a certain suffix, so we can't log in. But, we can find some clues in JS file! Usually, those files are minified and hard to read, but we can use the search function on Chrome Devtool. For example, I searched for "query":
From the results, you can see a GraphQL query called
findRecruiters, the parameters are also available in source code:
In response, there are the name, job title, team, and email of every single recruiter:
Glints implemented access control, a guest is unable to access this query anymore.
Most of the vulnerabilities I found are about access control. When access control is broken, it's easy to access others' data. It's not a good thing for job platforms like Glints, because there are name, email, phone, even address in a resume.
That's why all 4 vulnerabilities are identified as high-risk issues, worth 1600 SGD bounty in total.
2021-07-09First vulnerability report
2021-07-09Glints replied and they are checking
2021-07-13Glints confirmed the vulnerabilities and working on the fix
2021-07-14Second vulnerability report
2021-07-20Glints replied and only one vulnerability is fixed, others still fixing
2021-08-18I sent an email to Glints to check the latest status, no response
2021-08-31I sent an email again, no response
2021-09-09again and still no response
2021-09-20I opened an issue on their bug bounty program repo, no response
2021-10-04Glints replied to my email and said that they will get back to me tomorrow, but I got no response
2021-10-20I sent a follow-up email
2021-10-26I tweeted about the vulnerability without details because it's still not fixed, then I got a response from a co-founder at Glints
2021-10-27Glints asked me for payment detail
2021-11-11I received part of the bounty and sent an email to ask the status of vulnerabilities
2021-11-11Glints replied and confirmed that all issues are fixed
2021-12-07I received bounty in full