A penetration tester (callgh0st) has discovered a logical bug on a restaurant reservations platform that failed to invalidate a user’s session on permission change, allowing the user to retain access to sensitive data even after revoking their permissions.
The tester, who uses the alias “UserA,” creates a list of favourite restaurants and invites another user, “UserB,” to make a copy.
While UserB still has access, they use Burp Suite to intercept and save the request to create a copy of the list.
UserA then revokes UserB’s access to the list, but UserB can still make a copy of the list and any updates by replaying the saved request.
The programme, called “gaza.com,” was tested as part of a Bugcrowd programme, with the flaw classified as a P4 (low severity) finding.
The researcher discovered the flaw after stepping away from the task, invoking the Muslim aphorism “what is meant for you will not pass you.