Exposing 100,000 User Data : Massive API Bug Exposing

API Security Gone Wrong: Exposing 100,000 Users with One Crafted Request

Hey there! As a security researcher, I often test web applications to see how well they hold up against potential vulnerabilities. Recently, while participating in a public VDP, I came across a bug that allowed me to view the personal details of 100,000 users through crafted API requests. Let’s get started!

The Discovery

It all started while I was testing the application’s API. APIs are the backbone of modern web apps, and sometimes they are not secured properly. By crafting specific API requests, I was able to bypass some security checks and access data that should have been restricted. What I found was shocking — detailed information about 100,000 users was exposed!

What Was the Bug?

The vulnerability I found was in the way the API handled requests for user data. Here’s how I exploited it:

To my surprise, I was able to retrieve the details of another user, and this trick worked across 100,000 of users. This issue occurred because the API was not verifying whether the requester had the right to access the data of other users.

Why It Matters:

Exposing the personal details of 100,000 users via API calls is a severe vulnerability. User data, including sensitive information like username, email addresses, phone numbers and more, could be leaked if this flaw was exploited by an attacker. This type of exposure violates data protection laws like GDPR and could lead to serious repercussions for the company. Worse still, attackers could use this data for phishing campaigns or identity theft.

How This Vulnerability Occurred:

This vulnerability stemmed from improper authorization. The API failed to properly check whether the requester was authorized to access certain user data. As a result, by modifying user IDs in the crafted API requests, I could retrieve data that should have been restricted to authorized users only.