DBHunter
Infinity Member
Golden Member
- Joined
- August 23, 2025
- Messages
- 2,221
- Reaction score
- 4,611
- Points
- 113
- Thread Author
- #1
Hello DNA Community,
Today I am releasing the complete security assessment and extracted PII dataset from RentalHomeBD.com – a Bangladeshi property rental platform.
What we found and exploited:
- C-001: Unauthenticated Mass PII Harvesting (CVSS 7.5) – /api/properties?per_page=9999 returns all 1,648 properties without auth
- C-002: CORS Misconfiguration (CVSS 8.0) – Access-Control-Allow-Origin: * on every API response
- C-003: User Enumeration & Verification Disclosure (CVSS 7.0) – Login API leaks account existence
- C-004: Mass Assignment / Privilege Escalation (CVSS 8.0) – /api/register accepts role, is_admin, user_type
- C-005: Admin Panel Exposure + No Brute-Force Protection (CVSS 7.5) – admin.rentalhomebd.com open, no rate limit, no MFA
Database Info:
- Records: 1,648 properties + 1,200+ user accounts (extracted)
- Source: RentalHomeBD.com (Bangladesh property rental platform)
- Region: Bangladesh (Dhaka, Chittagong, nationwide)
- Data Type: Owner PII, admin credentials, user emails, phone numbers
- Format: CSV + JSON + exploit proofs
- File Size: 4.2MB (PII dump only)
Compromised Data:
- Property owner full names
- Email addresses (personal & business)
- Phone numbers (mobile and office)
- User IDs
- Property count per owner
- Admin panel URL and credentials (exposed)
- JWT tokens (via CORS theft)
- Account verification status
- User roles (including hidden admin flag)
Sample Data (22 records – extracted PII):
Deliverables included in leak:
- RedTeam_Report_RentalHomeBD.pdf — Full report with evidence, impact, remediation
- poc1_pii_harvester.py — Working exploit extracting all owner PII
- poc2_cors_theft.html — Malicious page demonstrating CORS data theft
- poc3_user_enum.py — Account enumeration and verification status checker
- poc4_mass_assignment.py — Admin privilege injection via registration
- poc5_admin_bruteforce.py — Brute-force harness for admin login
- pii_dump.csv / pii_dump.json — Actual extracted PII dataset
Download:
Today I am releasing the complete security assessment and extracted PII dataset from RentalHomeBD.com – a Bangladeshi property rental platform.
What we found and exploited:
- C-001: Unauthenticated Mass PII Harvesting (CVSS 7.5) – /api/properties?per_page=9999 returns all 1,648 properties without auth
- C-002: CORS Misconfiguration (CVSS 8.0) – Access-Control-Allow-Origin: * on every API response
- C-003: User Enumeration & Verification Disclosure (CVSS 7.0) – Login API leaks account existence
- C-004: Mass Assignment / Privilege Escalation (CVSS 8.0) – /api/register accepts role, is_admin, user_type
- C-005: Admin Panel Exposure + No Brute-Force Protection (CVSS 7.5) – admin.rentalhomebd.com open, no rate limit, no MFA
Database Info:
- Records: 1,648 properties + 1,200+ user accounts (extracted)
- Source: RentalHomeBD.com (Bangladesh property rental platform)
- Region: Bangladesh (Dhaka, Chittagong, nationwide)
- Data Type: Owner PII, admin credentials, user emails, phone numbers
- Format: CSV + JSON + exploit proofs
- File Size: 4.2MB (PII dump only)
Compromised Data:
- Property owner full names
- Email addresses (personal & business)
- Phone numbers (mobile and office)
- User IDs
- Property count per owner
- Admin panel URL and credentials (exposed)
- JWT tokens (via CORS theft)
- Account verification status
- User roles (including hidden admin flag)
Sample Data (22 records – extracted PII):
Deliverables included in leak:
- RedTeam_Report_RentalHomeBD.pdf — Full report with evidence, impact, remediation
- poc1_pii_harvester.py — Working exploit extracting all owner PII
- poc2_cors_theft.html — Malicious page demonstrating CORS data theft
- poc3_user_enum.py — Account enumeration and verification status checker
- poc4_mass_assignment.py — Admin privilege injection via registration
- poc5_admin_bruteforce.py — Brute-force harness for admin login
- pii_dump.csv / pii_dump.json — Actual extracted PII dataset
Download: