An improper access control vulnerability was identified in OpenEyes 3.5.1, developed by the Apperta Foundation.
A low privileged user could load a patient's profile in their browser and access sensitive information without the required level of privilege. Despite the application returning a 'Forbidden' message on the webpage, the server response still returned all the information about a patient. This information could be viewed in an intercepting proxy, or simply by viewing the page source within the browser.
- As a highly privileged user, view a patient profile.
- Copy the URL to this patient profile.
- Log out of the OpenEyes session.
- Log in with a low privileged user.
- Paste the patient profile URL in and browse to this.
- Note that OpenEyes returns a 'Foribidden' message.
- Right click and click 'View page source'.
- Note that the sensitive patient information is still returned in the response, and can be viewed in the page source.
The patient overview contains sensitive information about the patient. This includes PII such as Date of Birth, NHS number and address. In addition, extensive medical information is disclosed such as medication plans, prescription informations, past appointments, current medical problems or past procdeures.
This information being obtained by a user who is unauthorized could result in a breache of privacy, and impact the confidentiality of patient information stored within the OpenEyes application.