Serious security issue in Customer Address edit section

[kalpmehta]

I have installed Magento2 latest beta version yesterday and was checking it today. I found a serious issue where customer can view/edit (yes EDIT!) another customer's address. It's very simple to reproduce, just change the ID of the address in the URL and you will be presented with that address to edit.

Proof of concept:

• Register as a website user
• Navigate to /customer/address/edit/id/[ANY-VALID-ADDRESS-ID]
• View and/or Edit it

http://www.example.com/customer/address/edit/id/1/
I will be able to see that address (even if it's not mine) and will be allowed to edit it without any issue.

The version I am using: Magento ver. 0.42.0-beta11

[vpelipenko]

@kalpmehta, thank you for posting this issue. We'll check it immediately and fix ASAP if it is confirmed.

[vpelipenko]

Internal ticket: MAGETWO-35333. We are working on this issue now.

[kalpmehta]

Thanks for acknowledging and quickly checking into this.

[sshrewz]

@kalpmehta, this has been resolved in 0.74.0-beta1. Thank you again for submitting this issue. We greatly appreciate your continued support in Magento!