Summary
I have found a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account.
Details
I am suspect that the edit_invoice function in MyFinances/backend/api/invoices/edit.py is taking a parameter and not conducting an authorization check; allowing to unauthorized access to another invoice.
PoC
- Create two users
- Create invoices for each user (simulating the app as normal, invoice 1 and 2)
- While signed in as a user, navigate to invoices
- Click the ellipses under actions, click edit
- In the proxy there is a query as follows:
GET /dashboard/invoices/2/edit/ HTTP/1.1
I can change this integer (2, which I own) to 1, it exists I have access to the invoice from another user. In my case it was the other user I created. I am not signed into an account which owns invoice 1.
Impact
Any customer that has an invoice may have their invoice accessed from another account.
I ran this app locally on my machine following the instructions in GitHub.
Please let me know if you have other questions. I am an application security professional by profession and I would be open to cooperate more moving forward!
MatthewLaitinen Reporter
Summary
I have found a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account.
Details
I am suspect that the edit_invoice function in MyFinances/backend/api/invoices/edit.py is taking a parameter and not conducting an authorization check; allowing to unauthorized access to another invoice.
PoC
GET /dashboard/invoices/2/edit/ HTTP/1.1
I can change this integer (2, which I own) to 1, it exists I have access to the invoice from another user. In my case it was the other user I created. I am not signed into an account which owns invoice 1.
Impact
Any customer that has an invoice may have their invoice accessed from another account.
I ran this app locally on my machine following the instructions in GitHub.
Please let me know if you have other questions. I am an application security professional by profession and I would be open to cooperate more moving forward!