Benner Connecta Insecure Direct Object Reference Vulnerability Allowing Account Takeover

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in Benner Connecta version 1.0.5330. This vulnerability allows an attacker to modify the account details of any user, leading to full account takeover. The issue arises in the 'EditarLogado' endpoint, where the 'Handle' parameter can be manipulated to target another user's account. The system's request verification token, which is session-bound, can be regenerated, enabling multiple unauthorized modifications.

Impact

Exploitation of this vulnerability allows for unauthorized modifications of user accounts, full account takeover by changing the email and resetting the password, and exposure of Personally Identifiable Information (PII).

Reproduction

To reproduce this vulnerability, navigate to the 'Minha Conta' section and select 'Editar'. Capture the request using an intercepting proxy, such as Burp Suite. Modify the 'Handle' parameter to the victim's user ID and change the email field to an email controlled by the attacker. Send the modified request, ensuring all headers, cookies, and request verification token are valid. After intercepting the request, initiate the 'Forgot Password' process using the modified email to reset the victim's password and gain access to their account.

Remediation

Implement proper authorization checks to ensure users can only modify their own data. Use server-side validation to restrict changes to the authenticated user's account. Consider applying role-based access control (RBAC) to prevent privilege escalation.