• By Yash Goti

 

Hey Flocks,

Let me share a story of PII leakage. Recently on my birthday we bought our first ever car KIA Seltos. After a week the car dealer called me to provide positive feedback on the provided link about How was the buying experience and blahblahblah.

https://example.com/#/delivery-feedback?key={KEY}

When I opened a feedback link web page that had my name on it which is prefetched when the feedback form called and I was shocked that how it is possible? And Now it is time to intercept some requests before submitting my feedback.

I quickly opened Burp Suite

As a pentester I know what I was looking for and guess what I found it (Parameter & Value of Parameter) which is quite guessable, before we dig deeper into it let’s first recall what is PII and why it is necessary for a company to protect such information of their customers.

Personal identifiable information (PII) is any information that can be used to identify a specific individual. This can include things like a person's name, address, phone number, date of birth, social security number, and other personal details. It is important to secure PII because it is sensitive information that, if accessed by unauthorized individuals, could be used for malicious purposes such as identity theft, financial fraud, and other types of cybercrime.

One way that PII can be compromised is through data breaches, where hackers gain access to a company's databases and steal sensitive information. PII can also be lost or stolen through physical means, such as a lost or stolen laptop or paper document.

Let me brief you with my observations and this observation can be different as per the test case you build with your experience.

The 1st step was always looking for vulnerable parameters but most importantly the endpoint. As I observed parameter key in the URL and surprisingly it was base64 encoded [?] which contains 2 values first is dealer number and KIA India provide dealer based on which state dealer is located as I’m in Gujarat it begin with GJ*** and the second is folloupNo which is again very much guessable starts with KYYYYMMDD***

Fun was that I didn't need any authentication.

In the above scenario my observation was clear and I’m sure that it is clear IDOR (Insecure Direct Object References - Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly)

Now it is a matter of time where I started collecting other user’s data. It was a very simple vulnerability but it can’t be directly targeted until and unless an attacker buys a car.

cbs-logo