IDOR on /api/v1/users/{id}/profile allows unauthorized access to user PII
1Description
2The /api/v1/users/{id}/profile endpoint fails to verify that the authenticated user matches the requested {id} parameter. By changing the user ID, an attacker can read any user's full profile including name, email, phone number, and home address.
Proof of concept
GET /api/v1/users/1337/profile HTTP/2
Host: app.example.com
Authorization: Bearer eyJ...
---
HTTP/2 200 OK
{"id":1337,"name":"Intigriti",
"email":"hunter2@example.com",
"phone":"+1-555-5555"}Steps to reproduce
4- 1. Log in as user A (attacker) at app.example.com/login.
- 2. Navigate to your own profile and intercept the request to /api/v1/users/{your_id}/profile.
- 3. Change the user ID in the path to another user's ID (e.g. 1337).
- 4. Observe the full profile data of user 1337 in the response.
Impact
5Any authenticated user can read the full personal profile (name, email, phone, home address) of any other user by iterating over user IDs.
Report title
Write clear, descriptive titles that specify the vulnerability type, affected component, and impact. Avoid generic or lengthy AI-generated titles that try to appear urgent.
Description
Your report's description should provide a detailed description of the reported vulnerability, including its location, possible root cause, and any attack requirements. Try to keep it concise, and avoid lengthy AI-generated paragraphs or other output that adds no value to your submission. If it's a broken access control or logic flaw, try to include details about the intended behavior.
Proof of concept
Always provide a validated and working proof of concept that demonstrates real exploitability in your target's intended configuration. Avoid submitting unverified, AI-generated payloads or proofs-of-concept. Always include any special attack requirements (e.g., “XSS only works on Firefox”) and supporting materials like malicious APKs or PoC scripts.
Steps to reproduce
Write clear, step-by-step instructions as if the triager has never encountered your target before. Use one line per instruction, mention prerequisites upfront, and validate that each step works correctly. Include inline images where possible and try to attach video proof of concepts for more complex vulnerabilities. Avoid verbose AI-generated output that adds no value to your report.
Impact
State a clear, realistic impact with specific business consequences. Avoid speculative (AIgenerated) attack scenarios that can't be proven. Focus on demonstrable impact rather than theoretical possibilities.
Avoid inflating severity ratings to speed up triage
Always assign an accurate severity for your submission. Overestimating the severity of your report forces triagers to incorrectly prioritize it, which will require reassessment and ultimately further delay the overall triage process.