Exploit
Enter the user name, the interface will pop up the mobile phone number, it seems that the mobile phone number is hidden, but by grabbing the http package, it is found that the mobile phone number is actually returned in the background. It can be seen that changing the mobile phone number is only hidden at the front end.
Moreover, the interface has not been verified and can be called arbitrarily, so the blasting journey of BurpSuit is started.
A large number of registered mobile phone numbers can be exposed through this interface, resulting in leakage of mobile phone number information.
Bug fix
Do not return the mobile phone number at the back end, as the front end should hide the middle four digits.
If you want to learn more about network security, you can follow the public account "SCLM Security Team".