Hubert Imoveis e Administracao Ltda Hub Object-Level Authorization Vulnerability Allowing Information Disclosure

A broken object-level authorization vulnerability has been identified in Hubert Imoveis e Administracao Ltda Hub version 2.0, specifically in the iOS, Android, and Web platforms, all running version 1.27.3. This vulnerability allows authenticated attackers with low-level privileges to access personal information of other users, such as national ID/CPF, name, and email, by manipulating object identifiers in API requests. The issue arises from inadequate authorization checks, enabling the retrieval of sensitive data from arbitrary user records.

Impact

Exploitation of this vulnerability leads to unauthorized access to personally identifiable information of users, including sensitive data such as national identification numbers, names, and email addresses.

Reproduction

To reproduce this vulnerability, send a request to the 'api-cadastro.hubert.com.br/api/v1/unidades/1839/GRENO<ID>/pessoas' endpoint, replacing '<ID>' with the identifier of another user. The response will include personal information such as the user's document number (CPF) and name. Additionally, this information can be used to access further personal details, like email addresses, through related API endpoints.