From Partial IDOR to GPS Tracking

A security researcher has explained how they found a serious vulnerability on redacted.com, which resembled a Partial IDOR but was more serious as it involved unauthenticated information disclosure.
The researcher discovered a public API endpoint that leaked device status and precise GPS locations without the need for authentication.
Using fuzzing techniques to uncover new endpoints, the researcher found they could access this data using a system ID, which did not require any authentication.
By modifying the system ID, the researcher realised they could obtain the real-time and historical movements of users, fleets and organisations, as well as their privacy and sensitive location data.
After responsible disclosure, the website took steps to implement authentication, restrict API access, add rate limiting, introduce logging and monitoring and limit GPS coordinate access.
The researcher concluded by stressing the importance of API security and urging testing for unauthorised data access and authentication weaknesses.

Fast Feed