Information Disclosure Vulnerability in Adobe Experience Manager affecting multiple companies including Microsoft, Apple, Amazon, McDonald’s and many more.

This is my first article ever so don’t mind my writing skills i really hate writing but i wanted to share this one with the community.

Hi guys my name is Fat 23 years old, Cyber Security Researcher / Bug Bounty Hunter from Kosova.

I ususally hunt in HackerOne this is my HackerOne profile : https://hackerone.com/fattselimi

Today i will share a story regarding a vulnerability that i found in multiple companies including McDonalds, Amazon, Apple, Microsoft and many more.

When i first noticed about AEM (Adobe Experience Manger) Content management system it was when i hunted in BMW Group in HackerOne : https://hackerone.com/bmwgroup

What is Adobe Experience Manager response generated by OpenAI :

Adobe Experience Manager (AEM) is a content management system that allows organizations to create, manage, and deliver digital content across multiple channels and devices. It is a web-based platform that helps businesses streamline their digital marketing efforts by providing tools for content creation, management, and delivery. AEM is designed to enable companies to easily create and manage web content, mobile apps, and digital forms, as well as to personalize content and optimize digital experiences. It is widely used by businesses of all sizes and across different industries to improve their online presence and enhance customer engagement.

So basically what i found was an Information Disclosue which Lead to Internal Email Disclosure in amazon.com

Let’s see below how i was able to find Internal Email Address Disclosure in Amazon subdomain.

Thanks to Assetnote i had a big wordlist of subdomains using Adobe Experience Manager since this Information Disclosure was affecting AEM i was looking for Vulnerability Disclosure Programs and Bug Bounty Programs running AEM.

I found that Amazon subdomain was using AEM.

site:subdomain.*.* inurl:’/content/dam’

Gave me multiple results

after adding site:subdomain.amazon.com/content/dam/filename.pdf/.children.json

2. In the image you can see the Response that we got after we added .children.json after the file.pdf extension.

3. If we see the jcr:lastModifiedBy: json parameter

4. Internal Email Address is being disclosed there.

What is the impact of this lets see what OpenAI will say about it below.

Impact of company internal email address disclosure response from OpenAI

The impact of company internal email address disclosure can vary depending on the specific circumstances of the situation, but it can have several negative consequences, such as:

1. Increased risk of phishing and social engineering attacks: When internal email addresses are disclosed, it makes it easier for cybercriminals to impersonate company employees and launch targeted attacks on the organization. Phishing emails, for example, can be designed to look like legitimate messages from the company, and employees may be more likely to fall for them if they believe they are coming from a trusted source.
2. Increased risk of spam and unsolicited emails: Disclosing internal email addresses can also lead to an increase in spam and unsolicited emails, as these addresses may be added to email marketing lists or sold to third-party marketers. This can lead to a flood of unwanted emails, which can be both annoying and distracting for employees.
3. Loss of confidentiality: If internal email addresses are disclosed, it can also compromise the confidentiality of company communications. This is particularly true if the email addresses are associated with sensitive departments, such as HR or legal. In some cases, the exposure of email addresses could even lead to the disclosure of confidential information, such as the names of employees involved in a particular project or legal matter.
4. Damage to reputation: Finally, the disclosure of internal email addresses can also damage a company’s reputation, particularly if the incident becomes public. It can make the company look careless or irresponsible, and may erode trust among employees and customers alike.

The same issue i was able to find in multiple other companies like Apple, Microsoft, McDonalds and many more.

See below the same issue affecting Microsoft :

See below the same issue Affecting Apple :

See below the same issue affecting McDonald :

Here you have a Google Dork to find AEM assets easily thanks Intigriti for this one.

Some Shodan Dorks and Google Dorks that i use you to find websites using Adobe Experience Manager are :

1.Shodan : http.component:”Adobe Experience Manager”

2.Google : site:target.* inurl:’/content/dam’

3.You can use Assetnote Wordlists too : https://wordlists.assetnote.io/

4.Happy hunting.

Thanks for reading and i hope that you liked this article and learned something new regarding Adobe Experience Manager (AEM) Content Management System security and i hope that this information will help you get some bounty from it.

Follow me in twitter for more : https://twitter.com/fattselimi or https://www.linkedin.com/in/fatselimi/