Using ‘Waymore’ to Uncover Archived Treasures and Customer Data
In bug bounty hunting, even the smallest scopes can lead to surprising discoveries. This is the story of how a seemingly limited program ended up revealing a major PII data leak in one of the subdomains.
And you know how it goes — when you use tools every day, sometimes it feels like they’re not working as you want. But just because they don’t always give you the results you’re looking for, doesn’t mean they aren’t doing their job. The real issue? Sometimes, it’s just the luck of the draw. 😉
Discovery
It all started when I stumbled upon a program with a narrow scope, most of its assets were internal, leaving me with only a subdomain to explore — store.website.com and it was running with shopify. I decided to go deeper into its parameters and archived URLs so maybe could something be found, as lately I was depending on waymore for getting those archieved URLs.
My breakthrough came when I discovered the power of the Waymore tool by XNL-h4ck3r I saw a lot of people talk about it on X as I am just an OG hacker using ‘waybackurls’. This tool combines various resources to extract URLs, providing a bunch of information for me to check. With the proper configuration of the config.yml file, I was able to run the tool and extract valuable URLs related to the subdomain.
Among the many URLs I got, one particular format caught my attention:
https://store.website.com/RANDOM_DIGITS/orders/{order_id}/authenticate?key={authentication_key}
These URLs contained sensitive PII such as full names, email addresses, phone numbers, and even Google map locations of customers who made purchases in the store.
I promptly reported this to the program. However, the customer initially struggled to reproduce the issue due to needing API keys from URL scan and VirusTotal. Eventually, after further investigation and validation, the severity was escalated to a P2, and I eagerly await the reward for my discovery.
X: @sl4x0
