Disclose Hidden Comments on Media Section of hub.vroid.com

I discovered a vulnerability related to hidden comments in the Media section on https://hub.vroid.com. Initially, a user allowed comments on their media post but later disable them, making all comments invisible to everyone except the admin. However, by intercepting a request where a user can like any comment with a specific ID, I found that it is possible to like hidden comments by inputting their IDs. The response from the server not only confirms the like action but also reveals the content of the hidden comment, which should only be visible to the original poster of this media. This vulnerability in the endpoint allows unauthorized disclosure of hidden comments on any posts in the Media section. {F3340195} ## Steps To Reproduce: **UserAttacker** **UserVictim** 1. Create two random accounts on https://accounts.pixiv.net/ 1. Login then both on https://hub.vroid.com 1. From UserVictim navigate to **submit character** and submit a character then scroll down you will see: {F3340256} 4. Upload media here and allow comments 5. Post any random comment then disable comments section on the media of the UserVictim 6. From UserVictim we need to get the comment ID to use it later (this step only for testing, real attack dont need this step), for that, click ctrl + U to view the page source then ctrl + F and search for **entityIds** {F3340234} 7. Save the comment ID to use it later. 8. From UserAttacker, intercept any POST request made to https://hub.vroid.com/ and send it to the repeater 9. Update the POST request URL and parameter to the below: ``` POST /api/statuses/PASTE_ID_HERE/hearts HTTP/2 Host: hub.vroid.com Cookie: ATTACKER_COOKIES Sec-Ch-Ua: "Opera";v="109", "Not:A-Brand";v="8", "Chromium";v="123" Accept: application/json, text/plain, */* Content-Type: application/json X-Api-Version: 11 Sec-Ch-Ua-Mobile: ?0 Content-Length: 2 {} ``` 10. Send the request, and you will find the content of the comment and its owner in the response. In this case, the attacker will be able to disclose any hidden comment. {F3340305} ## Impact This vulnerability allows an attacker to disclose hidden comments of any user due to a vulnerable endpoint. These hidden comments should only be visible to the admin.