xmall icon indicating copy to clipboard operation
xmall copied to clipboard
verified publisher icon Exrick

Broken Access Control - Unauthorized Access to Other Users' Orders

Open YLChen-007 opened this issue 1 month ago • 0 comments

Broken Access Control - Unauthorized Access to Other Users' Orders

Description

This issue is related to #98 and demonstrates the same security vulnerability.

Reproduction Steps

  1. Set up the environment as described in #98, and create "IPhone X" order by "target1" user.
  2. Log in with a test account
  3. Modify the userId parameter to "target1" in the request
  4. Successfully retrieve the order list belonging to the "target1" user

Vulnerability Details

Type: Broken Access Control (IDOR - Insecure Direct Object Reference)

Impact: Any authenticated user can access other users' order information by simply modifying the userId parameter, leading to:

  • Privacy breach
  • Unauthorized access to sensitive order data
  • Potential data manipulation

Proof of Concept

Screenshot showing unauthorized access to target1's orders

As shown in the screenshot above, by manipulating the userId parameter, we successfully accessed orders belonging to another user (target1).

Expected Behavior

The system should:

  • Validate that the requesting user has permission to access the specified orders
  • Only return orders belonging to the authenticated user
  • Return an authorization error (403 Forbidden) when attempting to access other users' data

Severity

High - This vulnerability allows any authenticated user to access sensitive information of other users.

YLChen-007 avatar Nov 04 '25 06:11 YLChen-007