IDOR at Login function leads to leak user’s PII data

Vulnerable Login function leads to leaking PII data for all registered users.

Hello Everyone! Today we will talk about one of my latest findings at a private program. The vulnerable function is the login function that manages the attacker to replace the username and leak the PII for any registered user.

Let’s start the bug’s reproduction steps, and if you need to see a quick definition for the IDOR, just check this malicious user 1234

Steps to reproduce

1. At the vulnerable subdomain, you have a login function that requires you to enter your username first, and then if it’s valid, you will proceed to the next step to enter your password.

2. After entering a random user test I was surprised that there’s an existent user called to test, and I obtained all his PII data in the response. The endpoint seems likehttps://subdomain.target.com/v1.0.0/dev/userfirm/<username>

3. Send this request to the intruder and try with any leaked usernames to be more real.

In this way, we can obtain most of the system users’ info like

1. Username

2. First/Last name

3. Email address

4. Phone number

5. Telephone

6. Firm Name

7. User ID

After reporting the bug resolved and marked as P1

Mitigation/Fixing

1. Restrict the repose to not include any sensitive data, the developers need this sensitive info to send them to another function, but they forget to restrict them far away from the attacker's view. They can replace the PII data with a sentence like:

{"userExist":"true", "errors": null}

2. Add a throttling control at the specified API endpoint to stop any brute forcing attempts.

Thanks for reading <3 Stay in touch

LinkedIn | GitHub | Twitter