Broken Access Control - Unauthorized Access to Other Users' Orders

[YLChen-007]

CVE-ID: CVE-2023-36331

Broken Access Control - Unauthorized Access to Other Users' Orders

Description

This issue is related to #98 and demonstrates the same security vulnerability.

Reproduction Steps

1. Set up the environment as described in Cart endpoints allow cross-account modifications #98, and create "IPhone X" order by "target1" user.
2. Log in with a test account
3. Modify the userId parameter to "target1" in the request
4. Successfully retrieve the order list belonging to the "target1" user

Vulnerability Details

Type: Broken Access Control (IDOR - Insecure Direct Object Reference)

Impact: Any authenticated user can access other users' order information by simply modifying the userId parameter, leading to:

• Privacy breach
• Unauthorized access to sensitive order data
• Potential data manipulation

Proof of Concept

As shown in the screenshot above, by manipulating the userId parameter, we successfully accessed orders belonging to another user (target1).

Expected Behavior

The system should:

• Validate that the requesting user has permission to access the specified orders
• Only return orders belonging to the authenticated user
• Return an authorization error (403 Forbidden) when attempting to access other users' data

Severity

High - This vulnerability allows any authenticated user to access sensitive information of other users.