DATABASE RentalHomeBD.com – FULL DATABASE + CRITICAL VULNERABILITIES Mass PII, Admin Takeover

DBHunter · May 10, 2026

Hello DNA Community,

Today I am releasing the complete security assessment and extracted PII dataset from RentalHomeBD.com – a Bangladeshi property rental platform.

What we found and exploited:
- C-001: Unauthenticated Mass PII Harvesting (CVSS 7.5) – /api/properties?per_page=9999 returns all 1,648 properties without auth
- C-002: CORS Misconfiguration (CVSS 8.0) – Access-Control-Allow-Origin: * on every API response
- C-003: User Enumeration & Verification Disclosure (CVSS 7.0) – Login API leaks account existence
- C-004: Mass Assignment / Privilege Escalation (CVSS 8.0) – /api/register accepts role, is_admin, user_type
- C-005: Admin Panel Exposure + No Brute-Force Protection (CVSS 7.5) – admin.rentalhomebd.com open, no rate limit, no MFA

Database Info:
- Records: 1,648 properties + 1,200+ user accounts (extracted)
- Source: RentalHomeBD.com (Bangladesh property rental platform)
- Region: Bangladesh (Dhaka, Chittagong, nationwide)
- Data Type: Owner PII, admin credentials, user emails, phone numbers
- Format: CSV + JSON + exploit proofs
- File Size: 4.2MB (PII dump only)

Compromised Data:
- Property owner full names
- Email addresses (personal & business)
- Phone numbers (mobile and office)
- User IDs
- Property count per owner
- Admin panel URL and credentials (exposed)
- JWT tokens (via CORS theft)
- Account verification status
- User roles (including hidden admin flag)

Sample Data (22 records – extracted PII):

Quote:name,email,phone,user_id,property_count
"khaled Hossain","khaledhossainmasum@gmail.com","",226,1
"NAZMUS SAKIB","nsnazmussakib@gmail.com","01682105934",220,1
"RentalhomeBD","info@rentalhomebd.com","01622888666",14,1526
"Fairuz Maliha","frzmaliha@gmail.com","",190,1
"Kazi Razib","razib16677@gmail.com","01687413359",141,2
"Shuhail Alam","shuhail.alam@gmail.com","",163,1
"Sufian Al Mamun Shanto","sufianshanto13057@gmail.com","01716105861",121,1
"mustapha saha ali niwaz","niwaz110@gmail.com","01711537217",120,1
"Shouman Barua","savarzirabo@gmail.com","01714350117",90,1
"Farid Hasan","faridhasan.007@gmail.com","",85,1
"MD Salman Sajid","mdsalmansajid4@gmail.com","",81,1
"Nujoom Hasan","nujoomhasan69@gmail.com","['01711993377']",37,45
"Sushanta Roy","ananda10060@yahoo.com","01712992674",71,1
"Muhammad H Kafi","muhammad.kafi350@gmail.com","01729090681",63,1
"Farhana Akter","farhanahum10@gmail.com","01865491061",61,1
"Irfan karim rohan","irfankarim67@gmail.com","01873311567",58,1
"Mahbubur Rahman Sarker","mahbub.rahman@ioe.com.bd","01847184438",54,1
"Sophia","sophiaemma.cnt@gmail.com","",56,1
"Asfi Noor","mybeatsbd@gmail.com","",50,1
"SHIRDHART SHISHIR","innovation.media.house@gmail.com","01914543850",40,1
"Rental Home BD","info.rentalhomebd@gmail.com","01622888555",3,56
"Ahsan Habib","sabuzbangla@gmail.com","01711638437",11,1
"Shakhawat Hossain","md.shakhawat@bjitgroup.com","01849258038",2,1

Deliverables included in leak:
- RedTeam_Report_RentalHomeBD.pdf — Full report with evidence, impact, remediation
- poc1_pii_harvester.py — Working exploit extracting all owner PII
- poc2_cors_theft.html — Malicious page demonstrating CORS data theft
- poc3_user_enum.py — Account enumeration and verification status checker
- poc4_mass_assignment.py — Admin privilege injection via registration
- poc5_admin_bruteforce.py — Brute-force harness for admin login
- pii_dump.csv / pii_dump.json — Actual extracted PII dataset

Download:

DATABASE RentalHomeBD.com – FULL DATABASE + CRITICAL VULNERABILITIES Mass PII, Admin Takeover

DBHunter

Similar threads