CORS misconfiguration leads to users information disclosure at https://studyroom.line.me

Due to the CORS(Cross-Origin Resource Sharing) misconfiguration in the StudyRoom API server, SOP(Same Origin Policy) can be bypassed, and the API that retrieves one's profile information was returning more personal information than necessary. Combining the issues allows an attacker to obtain user information when a user clicks an URL of a maliciously crafted web page. This vulnerability could lead to a PII leak, so we paid an additional PII bonus. We would like to thank @dhbd88 for his clear proof of concept using his own test accounts.