image dsbw
Request Assessment

FULL access to all CUSTOMERS information including emails for all users in Company DataBase



Published il y a 1 semaine

image de FULL access to all CUSTOMERS information including emails for all users in Company DataBase

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Description:

this is critical because its a full access to PII information including emails for all customers in company database even its not in my tenant or Context and i access it with low privilige a admin user with no access to any data for his tenant can access to all of thats

Affected Parameter / Endpoint: api.company.com/api/rest/userdetails/{id}?limit=50

Proof of Concept:

Step-by-step to reproduce:
  • Step 1: log in here https://admin.company.com/ as admin
  • Step 2: go to https://admin.company.com/user/details/linkedusers
  • Step 3: you can see in the burpsuit a url request to api GET /api/rest/user/details/linkedUsers?start=0&limit=100 HTTP/1.1
    Host: api.company.com
    get the cookies from this request we will use theme in the next request
    or just replace (/user/details/linkedUsers?start=0&limit=100)
    with (/user/details/110?limit=50 HTTP/1.1)
  • Step 4: from this endpoint and using your cookie you can get user information including email addresse for a user with id 110
    GET /api/rest/userdetails/110?limit=50 HTTP/1.1 Host: api.company.com
now you can access to any user in company database this is my id 1133224

i try it with some ids as POC any hacker can enumerate full db in just 1 HOUR

and as a admin you can try this with other admin with no access ( with his cookie) to any thing in the company and stel have access to full company users info in db

Impact:

Explain how an attacker could abuse this issue...

Severity:

Critical — PII INFORMATION DISCLOSURE

  • Timeline :
  • Platform : Intigriti
  • Reported: 10/02/2023
  • Triaged: 13/02/2023
  • Accepted & paid: 13/02/2023
  • Bounty: €3,000

https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
SQL INJECTION, leaking of personal data + server misconfiguration lead to unauthorized access

Description: in one of the earlier target that i hunted in before, after the recon step, i found an interesting service...

Read More →
Blog Image
BROKEN ACCESS CONTROL lead to leak all users sensitive data in Company database, including emails

Description: BROKEN ACCESS CONTROL lead to leak all users sensitive data in company database, including emails in compa...

Read More →
Blog Image
IDOR Get any Customer all invoices

Description: Broken access control IDOR lead to get all invoices for any customer Affected Parameter / Endpoint: https...

Read More →