Exploiting <img src=URL>
I recently submitted a bug bounty report concerning information disclosure on a platform (here referred to as "redacted"). The vulnerability allows an attacker to manipulate image source URLs to serve content from an attacker-controlled domain by simply appending my domain as a subdomain. This issue, when exploited via the app or website, leaks information such as the device's build version, the app version, OS information, and IP address. my report was marked as "informative" by H1 triage.
Given the platform's commitment to user privacy, I expected a different outcome. Here's a snippet reflecting the HTML manipulation: <img src="https://redacted.com.mydomain.com/appIcon.png" alt="media">. I attempted to inject JavaScript through SVGs and even tried triggering an authentication prompt by requiring authentication on my server. Neither method succeeded, likely due to browser and app security policies.
I'm reaching out for advice on how to increase the impact of this vulnerability. If anyone has suggestions or strategies that could help , I would greatly appreciate it.
Thank you for your support.
