IDOR leads to view other user Biographical details (Possible PII LEAK)

Program: U.S. Dept Of Defense Bug Type: IDOR Bounty: Unspecified Date: 2024-07-04

IDOR Information-Disclosure sensitive-data broken-access-control

Summary

The researcher discovered an IDOR vulnerability in multiple endpoints under the /JOINOnline/Board/QuestionCard/ path, which allows unauthorized access to other users' demographic and contact details by simply changing the user ID in the URL. No authorization checks are enforced, leading to exposure of PII across accounts.

References

https://hackerone.com/reports/2586641

← Back to Reports