This client-side script had pretty interesting information that led me to read each block until I found a function that was possibly deprecated due to its function name having the word “old”. When I extracted the URL and visited it manually, it was actually responsive leading me to some kind of a job order https://recycle.ext.hp.com/index.php?process=print&type=order&target=20 (This obviously won’t work now because it has been fixed by HP).
After playing with the values passed to the parameter “target”, I found that it didn’t require any authentication to view the job order. Below is a screenshot of the target with a value of “3” (Please excuse the censored details. They are sensitive. At least to what I believe because the details include the contact person’s email, pick up address, and billing address).
Another screenshot follows with a target value of “10”.
After realizing that these details should not be seen publicly, I immediately searched for the contact details of HP for a responsible disclosure regarding this security issue. When I found this link, I added in the details about my findings and was forwarded to this page:
After just a few seconds, I received the automated response through email:
By around 11:04 AM the same day, another auto-reply message was received:
By around 10:48 PM still the same day, a case number has been assigned for the report:
After around 2 days, the security issue has been fixed but no formal updates yet:
Finally, after some follow up emails, HP confirms the security issue has been fixed but they still don’t have any bug bounty programs or hall of fame pages at the moment.
Well at least the issue was fixed in a reasonable time frame. Asus still beats HP when it comes to a timely reply though. To be fair, I was an HP user before and never had an Asus laptop. Cheers!