Ehtesham Ul Haq discovered a broken access control vulnerability while working with a client who utilised different user roles, allowing certain organisations to add and remove users.
When an administrator removed a user from an organisation, the user would inadvertently maintain access to the organisational metadata, including user details, roles and project titles and descriptions.
While the organisation intended to revoke all access for these users, the missing endpoint enabled access to this metadata, compromising user privacy.
This kind of access control vulnerability can happen due to errors in authentication or authorisation, and Ul Haq recommends regular security testing to identify and fix such issues.
Organisations can also minimise access and errors by ensuring strict role-based access control and permission systems.