Unrestricted Access to All User Information

This post describes a vulnerability the author found in an API that permitted access to all user information.
The author had previously signed up for an account with the programme and had logged in.
During this process, they observed the API calls generated, noting that the API was housed on a dedicated path, rather than on a separate subdomain.
By modifying the API path from /api/user/me to /api/user/all, the author was able to access all user information.
Importantly, the author also noticed that the verification tokens sent to user emails were also included in the user account details, allowing the author to acquire operatives for over 3,000 users, including administrators.
To prevent this type of vulnerability, the author recommends that proper access controls be implemented, such as restricting access to admins only.
This would involve developing role-based access control, whereby a user’s role would be checked before they are granted access to certain endpoints.

Fast Feed