The student Abdulrahman Al-Saleem, one of the distinguished students of the Faculty of Information Technology, managed to discover a medium-severity vulnerability in a system belonging to DHL thru a sensitive configuration file (envx.js) that was publicly available, which contains important information such as API keys, internal endpoints, and configuration data related to the system.
This vulnerability was discovered during the reconnaissance process and analysis of JavaScript files, where the student noticed the presence of keys that could be used directly. Upon testing them, it was found that they were effective, and it also revealed some API details and usage methods. The danger of this vulnerability lies in the fact that it may allow unauthorized API usage and could lead to significant financial impact on the company, in addition to disclosing some system information, which could facilitate any subsequent attack.
As a result, the student reported the vulnerability to DHL thru the Bug Bounty platform (Intigriti), and the report was accepted. The student's name (pseudonym) was included in the company's security researchers' leaderboard, as shown in the attached image. And usually, there is a financial reward for the one who discovers the vulnerability. Congratulations to the college and our distinguished student.