Oauth client secret leak and possible IDOR leading to PII Disclosure

Given that this vulnerability is still in triage, I will give a vague overview of the bug chain.

Whilst working on my automation, I was investigating various interesting subdomains that it had found. One given subdomain was owned by a SaaS bug bounty program. I was reading the HTML source of various pages, especially on one page for Oauth login, which we'll refer to as oauth.example.com. I noticed a Javascript file containing what seemed to be environment variables on the "Username Recovery" page.

Crafting a POST request, I was able to generate an access token. At this point, I contacted my good friend Bendtheory for some collaboration. Now, this JS file contained a subdomain called api.example.com. Bendy decided to shove this subdomain into Gau, and it returned some endpoints. This gave us several site-specific ID values.

Next, opening Burpsuite, we booted up Intruder, and tested those endpoints with our newfound access token, and enumerated across the previously mentioned ID values. Incredibly, the access token gave us access to PII of the BBP's customers. Using data gathered from those endpoints, we were able to extensively test the API. A widgets endpoint leaked the entire list of users for a given organisation. We also looked on Github for more endpoints to test.

This leaked:

  • Full Names
  • Usernames
  • Email Addresses
  • Phone Numbers
  • Employee IDs
  • Job Titles
  • Login Timestamps

The /me endpoint returned the following message:

User '<system>' does not fall under the requested users hierarchy.

It is not clear whether the PII was accessible due to an IDOR in the ID parameter, or special privileges given to the <system> user. Given that the ID values are publicly available, it would be possible to enumerate the PII of any customer in a highly targeted manner.

This vulnerability was triaged as Critical.