How I dumped PII information of customers in an ecommerce site?

Like every website, the most interesting endpoint is always the image upload section.
So I fired my burp and was checking how the images are getting stored.

First thing i noticed was the image was uploaded in aws.So as always i checked for misconfigured aws for read/write access. The bucket looked solid.

The image was stored in the following format.

https://target.s3.us-east1.com/[image-id]?{Signature}

The image-id was a 16 digit alphanumeric value.
How ever in order to access the image, you would require a signature from amazon.

On checking the logs i found an interesting endpoint that was generating signatures for those images based on the image id an user inputs.

The first I did was supply “1” as the photo id.

The signed URL generated was :
https://target.s3.us-east-1.com/1?{Signature}

Now imagine if you supply a null value as photoID and if the endpoint supplied a signed URL of following format:
https://target.s3.us-east-1.com/?{Signature} you would be able to get access to the entire list of private images that was hosted in that bucket.

As I supplied the a null value it returned an error.

Now I tried different ways to bypass it by encoding the parameters but no success with it and gave up.

After almost a week as i was checking the subdomain of that target, I saw that it was also using bucket to store the images, but this time the images was under a “FOLDER” called static.

Then I was like, why didn't I think of it.

I quickly fired my burp and started bruteforcing the values like admin,admins,user,users etc.
Finally the value “consumers” matched.

Visiting the signed URL gave me access to the images of the ID Card of the users which contained some realllllyyyy sensitive personal information.

Thanks for reading :)