How I was able to disclose the Users’ chats with AI chat Bot?

Well , It will be a Nice Write up today , I will discuss with you about two or three ideas chaining them together to get the hidden gem which is the private chats .

From two days I got an Invite to a private program which is a Chat Bot look like Gemini & Chat GPT , so I start with testing some Business Logics and Idors , but This Product has a well security team but even the website has a WAF or security filters , The Developers’ mind don’t so I started to go deeply to get the files of the website and the directories , and I started to read the robots.txt file then I notices a path which is /s/ , hmmmmmmm

I know till now it’s normal but to me not cause I have to analyze and know every path how it works and what it do , so I started to search more , but with nothing even FUZZING , /s/FUZZ , /s/.FUZZ , /s/~FUZZ …etc

disappointed?? Surely NOOOOO , we still have many ways we didn’t try it yet ,

Now I missed an Important thing which is waybackurls , searching for the path /s/ if it was archived before or something like this and as I thought I got some complicated tokens so I can’t bruteforce it but no problem , I got : /s/kqUsc6q322w3******** , but a normal person will stop here , why ? 404 will face you :|

How the developer think he is now :

Well now we have /s/ , /s/kqUsc6q322w3******** but with 404 , what if we start to bypass it ? and try something like example.com/../s/kqUsc6q322w3******** OR example.com/~/s/kqUsc6q322w3********

and then after a lot of try I got this

example.com/~s/kqUsc6q322w3******** and BOOM over 1k private chat is leaked

and from the first if I fuzz like /~FUZZ I would able to get it faster than this so add it to ur methods to fuzz

now I want to say to the developer , who is the real hacker ?

well , at the end I discussed about two three points and how I chained it together from getting the paths , to fuzzing , to checking waybackurls and at the end trying to bypass the 404

THANKS ,