Skip to content

Security Review (ExpertRight)

Published: March 18, 2020

2 min read


Security Review (ExpertRight)

Sometime ago, scrolling through the Chrome newsfeed, I came across a story by YourStory about ExpertRight.
YourStory covered ExpertRight and gave info. about this startup from Rajasthan, India.

Basically,
ExpertRight is a platform to hire freelancers for a short time period work. This seemed interesting, though nothing very new, so I checked out their site…

The site was good too & then something happened!
As I was surfing the Freelancer's page, I clicked on a freelancer's profile to check some info. & there I found out that the url was in the .php?id= format.

If you know even some basics about pen-testing, you know this can lead to an SQL Injection… So I tested the site & found that it was indeed vulnerable to SQL Injection Attacks!

To verify,
I registered on the site & then downloaded all the entries from 'users' table in their database (backend MySql) & I did find my info. I straight away fired a tweet (screenshot below) to Ayush Goyal (ExpertRight) about this, and we talked about it.

Of course being a new startup, I was requested to pull off that tweet which I did (screenshot below). But as you can see that the vulnerability was disclosed in January 2020, it still isn't fixed & so I decided to shoot a post about it.

If you are one of those who use the platform, I'd just say to be careful until they fix the issues.

expertright tweet screenshot

expertright whatsapp screenshot

Darshan Pandya