Privacy Bug In Elance

Privacy Bug In Elance

Elance is one of the top and best Freelancing site over the world. A seller contacting a buyer outside Elance for the project payment or getting buyer’s attention to his proposal, is totally against Elance policies and Elance may permanently ban seller’s account on buyer’s complaint. This is why buyer’s username is not publicly visible because mostly, everyone has same username on Elance, skype and other websites. So a seller can easily contact the buyer outside Elance getting buyer’s attention towards his job proposal or requesting buyer to pay outside. Buyer may agree on it but this is strictly against Elance policies.

Here are 2 types of profile links of a same buyer.
https://www.elance.com/e/nomanriffat/
https://www.elance.com/e/public/Oq66qfJdF5KdneGG7gH2DylVblgYAWDeQOwFV3iY19U-/

  1. Plain profile link

  2. Encrypted profile link

In 1st link, the username is clearly visible and second URL is encrypted. If you visit both links, you will find the difference that the username is not mentioned on the page of encrypted link. Username of buyer is only visible to those sellers who have ever worked with him or the seller was invited to apply on buyer’s job. But what if someone finds the username of a buyer without ever working with him or being invited to apply to his job? I might have been wrong on plain and encrypted links but then I contacted Elance support and got this reply from them.

Elance Reply

How I exploited this bug

Every buyer has a unique ID which was visible (when this bug existed) when viewing the page source of encrypted link of the buyer’s profile. I don’t have the old screenshot how that looked alike but ID existed between them.

Page source of buyer's account

This is the URL which takes to the plain URL of the buyer’s account by just providing the buyerid in the URL. So I already got the buyerid from page source now I can use this link to get the username of the buyer. In my case, the ID is “5047246”
https://www.elance.com/buyerprofile?userid=5047246

You can see the above URL is redirecting to my real profile that contains my username. I reported this bug on June 25, 2014 and got this reply from Elance on November 20, 2014

Elance reply

Thus the bug was patched by Elance by removing buyer’s ID from page source of buyer’s encrypted profile link. Someone can still exploit this bug if he somehow manages to get the buyer’s ID from any means 🙂

Expert in PHP, Wordpress and Web Security Analyst