This article discusses a significant vulnerability related to Sensitive Data Exposure found in a REST API during a security hunting exercise. By altering the API endpoint from /api/user/me to /api/user/all, the author was able to retrieve sensitive user information, including verification tokens. The article highlights the need for proper access controls to prevent such exploits.
Affected: REST API, Target
Affected: REST API, Target
Keypoints :
- A Sensitive Data Exposure vulnerability was found in a REST API.
- Changing the API endpoint from /api/user/me to /api/user/all allowed access to all user information.
- The vulnerability was discovered through general reconnaissance and subdomain discovery.
- The API calls were hosted on a dedicated /api path.
- User account details were easily obtained via a GET request.
- The author was surprised by the simplicity of the exploit.
- The verification token was leaked within the API response, matching the user’s email.
- The author accessed tokens from 3,156 users, indicating widespread exposure.
- Common misconfigured API endpoints should be checked for potential vulnerabilities.
- Developers are advised to implement proper access controls for sensitive endpoints.
- Code examples illustrate how to restrict access based on user roles in Flask applications.