API Data Leakage Vulnerability Report - `xvcams.com`

### **HackerOne API Data Leakage Vulnerability Report - `xvcams.com`** --- ## **Summary:** A **sensitive data exposure vulnerability** was discovered in the API endpoints of `xvcams.com`. These API responses leak personally identifiable information (PII) of models, including **birthdates, locations, eye color, phone verification statuses, and even internal user IDs**. This issue **violates user privacy policies** and can be **exploited for data harvesting, identity theft, targeted phishing, and account takeovers**. Previously, **a similar vulnerability was found in another system using the same CDN (`cdn5.vscdns.com`)**, indicating a **systemic security issue.** --- ## **Affected Endpoints:** ### **1️⃣ `/api/models/get-offline-models-by-tags.php`** 📌 **Request Example:** ``` https://www.xvcams.com/api/models/get-offline-models-by-tags.php?sitekey=xvt&tag_id=115&service=girls&t=1714076106516 ``` 📌 **Sensitive Data Leaked in Response:** ```json { "id": "1153601", "name": "Emiy Lopera", "image": "https://cdn5.vscdns.com/images/models/samples/4552647.jpg", "birthdate": "2001-08-31", "age": 23, "location": "Brazil", "eye_color": "brown", "phone": { "id": "75725", "model_id": "1153601", "primary_ext": "375093", "username": "MODEL_1153601", "incoming_tel_num": "************", "country_code": "CO", "verified_phone": "1", "cpm_cost": "20 Credits Per Minute" } } ``` 📌 **Critical Issues:** - 🚨 **Birthdate exposure** (Used for identity fraud) - 🚨 **Location data exposure** (Can be used for targeted harassment) - 🚨 **Phone number metadata** (Shows if a number is verified) - 🚨 **Internal User IDs & Model IDs** (Can be used for unauthorized API queries) --- ### **2️⃣ `/api/models/recommend-models-to-cust.php`** 📌 **Request Example:** ``` https://www.xvcams.com/api/models/recommend-models-to-cust.php https://www.xvcams.com/api/models/recommend-models-to-cust.php?user_id=0&model_id=1078906&t=1726734766762 ``` 📌 **Sensitive Data Leaked in Response:** ```json { "data": [ { "recommId": "7f5acb3843e7e600bfa18a131c33db09", "sample_image_id": "4577134", "model_id": 1358038, "model_name": "Sally Blazee", "model_seo_name": "sally-blazee", "interactive": 32, "room_status": "O", "room_status_char": "O", "login_group_title": "Multi-User", "login_group_id": 4, "multi_user_private": true, "service": "girls" } ] } ``` 📌 **Critical Issues:** - 🚨 **Exposes internal model IDs** (can be used for brute force enumeration) - 🚨 **Leaked `recommId` values** (possible user tracking vulnerability) - 🚨 **Room status leakage** (indicates if a model is online or private) --- ## **Steps to Reproduce:** 1. Open a browser and navigate to: ``` https://www.xvcams.com/api/models/get-offline-models-by-tags.php?sitekey=xvt&tag_id=115&service=girls&t=1714076106516 ``` 2. Observe the API response leaking sensitive information such as **birthdate, location, and phone verification details**. 3. Modify the request **(`tag_id`, `model_id`, `user_id`)** to retrieve different users' data. 4. Perform the same steps on: ``` https://www.xvcams.com/api/models/recommend-models-to-cust.php?user_id=0&model_id=1078906&t=1726734766762 ``` and notice the exposure of internal tracking IDs and session data. 5. ``` https://www.xvcams.com/?tpl=index2&model=json&_=1496352433890 ``` --- ## **Impact:** 🚨 **This vulnerability exposes personally identifiable information (PII), leading to:** - **Identity Theft & Fraud** (birthdates + location = easy identity verification attacks) - **Targeted Harassment & Doxxing** (users' real locations may be exploited) - **Data Scraping for Black Markets** (massive dataset leaks could be sold or misused) - **User Tracking via API Enumeration** (revealing whether users are online, offline, or in private rooms) --- ## **Severity: CRITICAL 🚨** 🔴 **Immediate Fix Required – Exposed User Data Poses High Risk** 🔴 Would appreciate an urgent response regarding the fix. Thank you. ## Impact ## **Impact:** 🚨 **This vulnerability exposes personally identifiable information (PII), leading to:** - **Identity Theft & Fraud** (birthdates + location = easy identity verification attacks) - **Targeted Harassment & Doxxing** (users' real locations may be exploited) - **Data Scraping for Black Markets** (massive dataset leaks could be sold or misused) - **User Tracking via API Enumeration** (revealing whether users are online, offline, or in private rooms) --- ## **Severity: CRITICAL 🚨** 🔴 **Immediate Fix Required – Exposed User Data Poses High Risk** 🔴 Would appreciate an urgent response regarding the fix. Thank you.