CVE-2022-36539
Insecure Direct Object Reference (IDOR) WeDayCare B.V.
WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.
Traffic with the API is made transparent via a proxy such as Burp Suite. Although it cannot be accessed without authentication, no authorization appears to be applied. This way I can not only request the data of my own children, but also that of other children. This gives me full visibility into the personal data of all families, with everything processed in the app as defined in the GDPR. For this I only have to change the ID to that of another child, parent, chat, or the like.
GET request
Reponse for the previous request
If I change ID 3586 to, for example, 3576
Can I see the data of someone else's son or daughter
Due lack of implementation of rate-limiting it's also possible to brute force valid ID's.
This also works with the chat, child details and other functionalities.
Advisory
The developer has fixed the lack of authorisation within the webapplication. Mobile users are required to update to the newest version of the mobile app.



