The API was sending a POST request to the forum without an Authorization header.
Discription

In this case, I decided to take a closer look at the API and some information in the POST data caught my attention. It was taking an ID information defined by the API (I guess) in the header of the request and my forum user-id in the data section. In response section, it returned all posts from that user’s profile page with his/her PII info included as well as other sensitive information like private messages or comments he/she made on other threads.

This is how I found BOLA vulnerability on Topcoder Forum (apps.topcoder.com/forums)
https://t.co/D0VDCVvIi3

Back to Main