System PDV Insecure Direct Object Reference Vulnerability Allowing Sensitive Information Disclosure

A vulnerability in System PDV version 1.0 allows remote attackers to access sensitive information by manipulating the hash parameter in a URL. This issue arises from inadequate authorization checks, leading to an Insecure Direct Object Reference (IDOR) vulnerability. Exploiting this flaw can result in unauthorized access to other users' data or internal resources, potentially exposing personal information such as names, phone numbers, and addresses.

Impact

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive personal information, including names, phone numbers, and addresses. Such a data breach could have serious legal implications under Brazil's General Data Protection Law (LGPD), as well as financial and reputational consequences for the affected business.

Reproduction

The vulnerability can be reproduced by sending a request to the application with a base64-encoded hash parameter that references an ID. The application does not properly validate access permissions, allowing the requester to access data associated with other users' IDs. This exploitation can be automated with a script that decodes the base64-encoded ID, modifies it, and re-encodes it before sending the request.