IDOR at Login function leads to leak user’s PII data

Eslam Akl
2 min readAug 30, 2022

--

Hello @All. Today we will talk about one of my latest findings at a private program. The vulnerable function is the login function that manages the attacker to replace the username and leak the PII for any registered user.

Let’s start the bug’s reproduction steps, and if you need to see a quick definition for the IDOR, just check this malicious user 1234

Steps to reproduce

1. At the vulnerable subdomain, you have a login function that requires to enter your username first and then if it’s valid, you will proceed to the next step to enter your password.

2. After entering a random user test I surprised that there’s an existent user called test and I obtained all his PII data in the response. The endpoint seems likehttps://subdomain.target.com/v1.0.0/dev/userfirm/<username>

3. Send this request to the intruder and try with any leaked usernames to be more real.

By this way we can obtain most of the system users’ info like

  1. Username
  2. First/Last name
  3. Email address
  4. Phone number
  5. Telephone
  6. Firm Name
  7. User ID

After reporting the bug resolved and marked as P1

Mitigation/Fixing

1. Restrict the repose to not include any sensitive data, the developers needs these sensitive info to send them to another function, but they forget to restrict them far away the attacker's view. They can replace the PII data with a sentence like:

{"userExist":"true", "errors": null}

2. Add a throttling control at the specified API endpoint to stop any brute forcing attempts.

That All :)

Stay in touch

GitHub | LinkedIn | Twitter

Thank you ❤

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Responses (4)

What are your thoughts?