Obtaining information about Newsletter

State Resolved in
May, 2021
Issue ID fSx-WLApAKMOEL7PQ-_
Asset Web application
Bounty $100
Reported in May, 2021
Reporter Hardik Gupta
Severity Low
Visibility Complete
Weakness CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Description

Malicious user can see whether or not other users have subscribed to the newsletter.

Step by step - Scenario

  1. Minimum 2 users (attacker and regular user)
  2. Attacker needs to capture user’s user_id
  3. Attacker can now send GET request containing the user's user_id
  4. Regular user's newsletter subscription status is now visible (true or false)

Expected

Other users’ newsletter subscriptions should not be visible.