← Back to Blog
October 10, 2025

ImproperMedia Deletion How I Found Publicly Accessible Deleted Files

category: Bug Bounty & Vulnerability Research
Improper Media Deletion How I Found Publicly Accessible Deleted Files - Cover Image
Improper Media Deletion How I Found Publicly Accessible Deleted Files - Additional Image 1
Improper Media Deletion How I Found Publicly Accessible Deleted Files - Additional Image 2

Introduction

While testing a payment and e-commerce platform for potential security weaknesses, I discovered a flaw in how it handled file deletion for product images. Even after an image was deleted whether before saving the product or after saving and later removing it the file remained publicly accessible through its CDN link. This is more than just a storage oversight it’s a privacy and security issue that could allow unauthorized access to sensitive files indefinitely.

🔍 How I Found It

I was exploring the product management feature where merchants can upload cover images for their products. The images were stored on public CDN links which is normal but what stood out was that deletion in the UI didn’t actually remove the file from public access.

I confirmed the issue by running two scenarios.

Scenario 1 — Delete Before Saving the Product

1. Navigate to the product creation page.

2. Upload an image as the product cover.

3. Delete the image before clicking “Save.”

4. Copy the upload URL from the browser network tab.

5. Save the product without the image.

6. Visit the copied URL in a private/incognito browser.

Result:

The image was still publicly accessible despite being deleted before saving.

Scenario 2 — Delete After Saving the Product

1. Create a product and upload an image as the cover photo.

2. Save the product.

3. Copy the image’s CDN URL from the browser network tab.

4. Delete the image from the product (or delete the entire product).

5. Visit the copied URL in a private/incognito browser.

Result:

The image was still publicly accessible even after removal from the product.

📂 Masked Example URLs

https://cdn.example-payments.com/products/abc123.png

https://images.example-payments-cdn.com/public/files/products/xyz456.png

💥 Security Impact

• Privacy Violation: Deleted images remain accessible to anyone with the link.

• Unauthorized Access: No authentication is required to retrieve these files.

• Brand Abuse: Attackers could serve misleading or harmful content from a trusted payment platform CDN.

• Persistent Exposure: Files remain online indefinitely even after removal from the UI.

Why This Matters

For a payment and e-commerce platform, trust is everything. Merchants and customers expect that when they delete a file, it’s truly gone. Retaining deleted files in public storage breaks that trust and creates privacy risks especially for platforms that may handle sensitive product visuals or user-generated content.

📌 Takeaways

This finding was classified as informative in the bug bounty program I submitted it to. While it didn’t result in a payout, it highlights a common issue in web applications: improper cleanup of deleted media.

For security researchers, this serves as a reminder to always check if “delete” in the UI actually removes public access especially on platforms dealing with payments or commerce.

💡 Pro tip for bug bounty hunters:

Always test file lifecycle handling before saving, after saving, and after deletion. Many systems fail in one of these stages.

← All Posts
Published October 10, 2025