Youlaitech Youlai-Mall Improper Access Control Vulnerability in OpenID Mapping Endpoint

A vulnerability exists in Youlaitech Youlai-Mall versions 1.0.0 and 2.0.0, specifically within the OpenID mapping endpoint. This vulnerability arises from inadequate access controls, allowing any authenticated user to access another user's authentication data by exploiting the OpenID argument. The issue enables horizontal privilege escalation by disclosing member IDs associated with OpenIDs, which can be used for unauthorized operations on victim accounts. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive authentication data, allowing attackers to retrieve another user's MemberAuthDTO, which includes privacy-sensitive information such as member IDs and OpenIDs. This access facilitates horizontal privilege escalation and could be used to manipulate victim accounts through other vulnerable application endpoints. Additionally, the vulnerability allows for enumeration of OpenIDs, creating opportunities for targeted exploitation.

Reproduction

To reproduce this vulnerability, log in as a user to obtain a valid application token. Then, use the OpenID of another user to make a GET request to the '/mall-ums/app-api/v1/members/openid/{openid}' endpoint, including the token in the authorization header. The response will include the victim's member ID and other personal information, demonstrating the lack of access control and the potential for privilege escalation.