The hacker found that public photosets can be accessed before they are approved or denied. This was quickly resolved. There was no access to private photosets.

Actions:

View on HackerOne

Reported by tismayil

Vulnerability Details

Technical details and impact analysis

See videos uploaded by a user. The video is available when it waits for confirmation or is not accepted. ## Steps To Reproduce: 1 - Go victim page : https://chaturbate.com/p/akaxanxa/?tab=bio 2 - Open video : https://chaturbate.com/photo_videos/photo/big/[user_name]/[content_id]/ 3 - Get random requests - https://chaturbate.com/photo_videos/photo/big/[user_name]/[ last content id + 1 ]/ 4 - Done - If the id holds the content opens up as a result. ## Impact By collecting user information, they can access their pending content. I can share content on my site or blog as original content from my own name by playing the contents.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$200.00