Able to list user's public name, username, phone number, address, facebook ID...
O
OLX
Submitted None
Team Summary
Official summary from OLX
Currently OLX is working on the mitigation of this vulnerability. All API endpoints are being reviewed by dedicated resources and fixed under high urgency.
Actions:
Reported by
lukeberner
Vulnerability Details
Technical details and impact analysis
Hi,
Through api-v2/items you can list all information of users (except email). As items are sequential, you can just make a script that crawls items from:
https://www.olx.com.ar/api-v2/items/822200000
to
https://www.olx.com.ar/api-v2/items/901858309
Example of sensible user information from random curl:
```
██████████
```
```
█████████
```
Example of random curl:
```
$ curl https://www.olx.com.ar/api-v2/items/822200000
██████████
```
Let me know if you need anything else.
Cheers,
Luke.-
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Information Disclosure