Skip to content

Fopje/CVE-2022-36539

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2022-36539

Insecure Direct Object Reference (IDOR) WeDayCare B.V.

WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.

Traffic with the API is made transparent via a proxy such as Burp Suite. Although it cannot be accessed without authentication, no authorization appears to be applied. This way I can not only request the data of my own children, but also that of other children. This gives me full visibility into the personal data of all families, with everything processed in the app as defined in the GDPR. For this I only have to change the ID to that of another child, parent, chat, or the like.

GET request

image

Reponse for the previous request

image

If I change ID 3586 to, for example, 3576

image

Can I see the data of someone else's son or daughter

image

Due lack of implementation of rate-limiting it's also possible to brute force valid ID's.

This also works with the chat, child details and other functionalities.

Advisory

The developer has fixed the lack of authorisation within the webapplication. Mobile users are required to update to the newest version of the mobile app.

About

Insecure Permissions WeDayCare

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published