PrimaPad

The vulnerability allows access to private notes through predictable URL patterns, exposing an Insecure Direct Object Reference in user-generated links.

• Exposure of sensitive data including passwords, customer support messages, health details, personal info, company files, and leaked data.

• No authentication or authorization required, granting access to anyone with the link.

• Dynamically generate possible URL combinations by iterating over a set of character sequences. For each generated link, the system checks whether it has already been visited by reading a local log file. If the link is new, it is stored and passed into a scraper function for data extraction.

• Each link is processed by sending an HTTP GET request to the target page. The returned HTML content is parsed using BeautifulSoup. The scraper isolates and extracts the text contained within a <textarea> element, then strips and stores the cleaned output for further use.