Mass IDOR + Race Condition: Sequential Tokens Unlock Millions of Patient Names in a Healthcare…

As a bug bounty hunter, I've chased my fair share of vulnerabilities from subtle misconfigurations to complex logic flaws. But discoveries…

Samrat Sitaula

~4 min read · March 17, 2026 (Updated: March 17, 2026) · Free: Yes

As a bug bounty hunter, I've chased my fair share of vulnerabilities from subtle misconfigurations to complex logic flaws. But discoveries involving healthcare always hit differently.

Here, privacy isn't just a feature. It's a lifeline.

This write-up tells the story of how a seemingly harmless guest-sharing feature on a large healthcare platform turned into a critical chained vulnerability.

By combining:

Insecure Direct Object Reference (IDOR)
Low-entropy tokens
A race condition

it became possible to enumerate patient identities and bypass security limits at scale.

Let's break it down step by step.

The Feature: Guest Access

Healthcare platforms often deal with highly sensitive data:

Test results
Diagnoses
Appointment history
Doctor-patient communications

To make things easier for patients, many platforms provide guest access links.

Instead of forcing patients to create accounts, doctors can send a temporary access link via SMS or email.

The links looked like this:

https://redacted.com/guest-access/[short-token]

The [short-token] acts as the key to a patient's private data.

Ideally, this token should be:

Long
Random
Cryptographically secure
Impossible to guess

Unfortunately, that assumption didn't hold.

Step 1 — The First Crack (IDOR Discovery)

The first valid guest token I found didn't come from fuzzing.

The endpoint was relatively quiet and only responded meaningfully when given valid-looking tokens.

Eventually I discovered a token through VirusTotal, where users had unknowingly uploaded files containing guest URLs.

With a working token in hand, curiosity kicked in.

I changed one character.

Instead of returning an invalid link error, the server responded with:

A completely different patient's first name.

That was the moment everything changed.

I tried again.

Another token.

Another unrelated patient name.

This was a textbook Insecure Direct Object Reference (IDOR).

The server trusted whatever identifier I supplied and returned patient data without verifying authorization.

Step 2 — Token Density Gone Wild

The tokens were surprisingly short:

~8 characters, alphanumeric

Short tokens alone are risky, but what I found next was worse.

I tried simple numeric tokens.

Every one of them returned valid responses.

Each revealed a real patient's first name.

Even random strings frequently resolved as valid guest links.

This revealed a critically dense token namespace:

No strict length enforcement
No format validation
Extremely low entropy

In other words:

Low entropy + high density = trivial enumeration

With a simple script, an attacker could generate and test thousands of tokens per minute.

Considering the platform reportedly served ~100 million users, this meant large-scale patient enumeration was possible.

Step 3 — The Safeguard (and Its Fatal Flaw)

After revealing the patient's first name, the system required an additional step.

To view the message, the user had to verify the patient by entering:

Date of Birth

To prevent brute force attempts, the system limited verification attempts to:

19 tries per token

On paper, this looked reasonable.

In practice, it failed.

Step 4 — Exploiting the Race Condition

The attempt counter wasn't implemented safely.

By sending multiple parallel POST requests simultaneously (30+ requests), the server processed more attempts before updating the counter.

This created a classic race condition.

Because the counter wasn't updated atomically, concurrent requests slipped past the limit before it locked.

Using tools like Burp Suite Intruder, this behavior was easy to reproduce.

The result:

Attempt limit bypassed
Unlimited DOB brute forcing
Correct DOB → full message access

These messages contained sensitive doctor-patient communications, including:

Medical test results
Clinical notes
Treatment information

Under GDPR, this qualifies as special-category health data.

Step 5 — A Second Vulnerable Endpoint

While continuing to explore the platform, I found another guest feature.

And it shared the same fundamental design issues.

The second endpoint:

Used short tokens again
Leaked contextual information
Required only the first 3 letters of the patient's last name

That's just:

2⁶³ = 17,576 combinations

Using the same race-condition technique, the verification limit could again be bypassed.

Successful verification revealed:

Appointment dates
Cancellations
Postponements

Even without explicit medical data, appointment metadata can reveal sensitive health context.

Chaining the Vulnerabilities

Individually, each issue was serious.

Combined, they became critical.

The full attack chain looked like this:

1. Token Enumeration

Predictable tokens allowed large-scale harvesting of patient first names.

2. Race Condition Limit Bypass

Rate limits on verification could be bypassed.

3. Identity Verification Brute Force

DOB or last-name checks could be brute-forced.

4. Sensitive Data Exposure

Attackers could access patient messages and appointment data.

At scale, this could allow an attacker to collect thousands of unrelated patient records.

Why This Matters

Healthcare data is among the most sensitive data categories in existence.

Under GDPR, unauthorized exposure of health information can lead to:

Fines up to €20 million
4% of global annual revenue
Legal liability
Severe reputational damage

Given the platform's scale, the exploitation potential was critical.

Responsible Disclosure

After confirming the issue, I immediately stopped further testing and submitted a report through the platform's bug bounty program.

The report included:

Detailed reproduction steps
Multiple proof-of-concept videos
Screenshots
Impact analysis
Remediation recommendations

Lessons Learned

For Bug Bounty Hunters

Convenience features often hide serious flaws.

Always test:

Guest links
File-sharing tokens
Magic links

Look for:

Token patterns
Low entropy identifiers
Validation gaps

And remember:

Chained vulnerabilities dramatically increase impact.

For Developers

Security fundamentals matter.

Key protections include:

Use high-entropy tokens (cryptographically secure UUIDs)
Never expose PII before verification
Implement atomic rate limiting
Treat guest-access features as untrusted entry points

Final Thoughts

This wasn't a flashy exploit.

It was a reminder that small design shortcuts can cascade into large-scale privacy risks.

A short token here. A missing authorization check there. A race condition hiding in plain sight.

Together, they created a pathway to mass patient data exposure.

Security isn't just about blocking attackers.

It's about protecting the people whose data lives behind the systems we build.

Stay curious. Stay ethical.

#cybersecurity #infosec #idor #health #healthcare