Summary

An IDOR vulnerability in the User Profile API allows attackers to access or modify user profiles by changing the userId parameter in an API request. The app does not authenticate correctly if the requesting user is authorized to access the requested profile, which could result in unauthorized access to sensitive data.

Vulnerability Details

The problem resides in the GET /user/{userId} endpoint, where attackers can guess or manipulate the userId to gain unauthorized access to other users' profiles. There are no access controls to verify whether an authenticated user can view another user's profile.

Impact

• Data Exposure: Attackers can gain access to other users' private data.

• Breach of Privacy: User profiles may be exposed without consent.

• Reputational Risk: Affected customers' trust can be damaged, potentially leading to a loss of customers.

• Further exploits: Unauthorized access can enable social engineering attacks or account takeovers.

Tools Used

• Burp Suite

• OWASP ZAP

• Custom scripts

Recommendations

• Permissions controls: Implement appropriate controls to ensure that users can only access their profile data.

• Indirect references: Use randomized or encrypted user IDs to prevent easy manipulation.

• Enforce the principle of least privilege: limit access to user data based on role and permissions.

• Rate limiting: Prevent abuse with rate limiting for sensitive API requests.

• Logging and monitoring: Continuously monitor unusual logins to detect exploitation attempts.