Hytale Modding Wiki Insecure Direct Object Reference Vulnerability Allowing Personal Information Exposure

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Hytale Modding Wiki, affecting versions prior to 1.0.0. This vulnerability allows any authenticated user to access mod authors' personal information, including full names and email addresses, by simply navigating to a mod's page via its slug. The issue arises because the API response for mod pages includes the complete author object with sensitive personally identifiable information (PII) without proper access control, exposing this data to users who should not have access.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of personal information, specifically full names and email addresses of mod authors, to any authenticated user on the platform.

Reproduction

To reproduce this vulnerability, create an account on the Hytale Modding Wiki and log in. Then, navigate to any mod page using its slug. After the page loads, inspect the API response for the page request in the browser's Developer Tools. The response will contain the author's full name and email address, which should not be accessible to the user.

Remediation

Users can update to Hytale Modding Wiki version 1.0.0 or later, where this vulnerability has been fixed.