Fides Privacy Request Identity Verification Bypass Vulnerability

A vulnerability exists in Fides versions 2.75.0 prior to 2.83.2, allowing administrators to approve duplicate privacy requests without verifying the subject's identity. This issue affects deployments that enable both identity verification and duplicate request detection. The vulnerability can lead to unauthorized deletion of a data subject's records across all integrated systems in the affected deployment. Additionally, a related denial-of-service issue, which prevented legitimate data subjects from completing privacy requests, is also addressed in the patch for this vulnerability.

Impact

Exploitation allows for the approval of unverified duplicate privacy requests, bypassing identity verification and potentially leading to unauthorized deletion of data subject records. The related denial-of-service issue, which blocked legitimate data subjects from completing privacy requests, is also addressed in the same patch.

Reproduction

To reproduce this vulnerability, an administrator must approve a privacy request that has been classified as a duplicate, without verifying the subject's identity. This can be done by submitting two privacy requests using the same email address, and allowing the second request to be classified as a duplicate before its identity is verified. Once the request is approved, it will be processed as if the identity verification had been completed.

Remediation

Users are advised to upgrade to Fides version 2.83.2 or later. For deployments that cannot immediately upgrade, duplicate detection can be disabled in the Admin UI under Settings → Privacy Requests → Duplicate Detection.