Given that this vulnerability is still in triage, I will give a vague overview of the bug chain.
Crafting a POST request, I was able to generate an access token. At this point, I contacted my good friend Bendtheory for some collaboration. Now, this JS file contained a subdomain called api.example.com. Bendy decided to shove this subdomain into Gau, and it returned some endpoints. This gave us several site-specific ID values.
Next, opening Burpsuite, we booted up Intruder, and tested those endpoints with our newfound access token, and enumerated across the previously mentioned ID values. Incredibly, the access token gave us access to PII of the BBP's customers. Using data gathered from those endpoints, we were able to extensively test the API. A widgets endpoint leaked the entire list of users for a given organisation. We also looked on Github for more endpoints to test.
- Full Names
- Email Addresses
- Phone Numbers
- Employee IDs
- Job Titles
- Login Timestamps
The /me endpoint returned the following message:
User '<system>' does not fall under the requested users hierarchy.
It is not clear whether the PII was accessible due to an IDOR in the ID parameter, or special privileges given to the <system> user. Given that the ID values are publicly available, it would be possible to enumerate the PII of any customer in a highly targeted manner.
This vulnerability was triaged as Critical.