IDOR at Login function leads to leak user’s PII data

Hello @All. Today we will talk about one of my latest findings at a private program. The vulnerable function is the login function that manages the attacker to replace the username and leak the PII for any registered user.

Let’s start the bug’s reproduction steps, and if you need to see a quick definition for the IDOR, just check this malicious user 1234

Steps to reproduce

1. At the vulnerable subdomain, you have a login function that requires to enter your username first and then if it’s valid, you will proceed to the next step to enter your password.

2. After entering a random user test I surprised that there’s an existent user called test and I obtained all his PII data in the response. The endpoint seems likehttps://subdomain.target.com/v1.0.0/dev/userfirm/<username>

3. Send this request to the intruder and try with any leaked usernames to be more real.

By this way we can obtain most of the system users’ info like

  1. Username
  2. First/Last name
  3. Email address
  4. Phone number
  5. Telephone
  6. Firm Name
  7. User ID

After reporting the bug resolved and marked as P1

Mitigation/Fixing

1. Restrict the repose to not include any sensitive data, the developers needs these sensitive info to send them to another function, but they forget to restrict them far away the attacker's view. They can replace the PII data with a sentence like:

{"userExist":"true", "errors": null}

2. Add a throttling control at the specified API endpoint to stop any brute forcing attempts.

That All :)

Stay in touch

GitHub | LinkedIn | Twitter

Thank you ❤

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Penetration Tester, Bug Hunter, Author of 10 CVEs, Author of multiple security tools, and more :) You can find me on Twitter @eslam3kll