This year, we encountered a critical issue with the Console involving leakage of data. Users with other user roles in the Console were able to access and perform state-changing operations that should not have been available to them. To our surprise, this issue was not only found in a single instance but was observed throughout the entire application.
Understanding the severity of the situation, we took immediate steps to identify all the affected endpoints. These were documented thoroughly so they could be handed over to the developers for a fix. Specifically, this issue allowed users to:
- Access data and endpoints meant for other roles.
- Perform actions such as state-changing operations that should be strictly restricted to user roles.
The impact of this vulnerability was significant. For instance, users were able to access sensitive patient records and financial transaction data. Realizing the gravity of this risk, we prioritized testing for data leakage in our processes, ensuring that the Console and its integration with other applications were thoroughly reviewed.
The risk from this vulnerability is high, as unauthorized access can lead to:
- Data integrity issues.
- Misuse of critical operations.
- Security breaches exposing sensitive information.
To address this problem, we proposed the following measures:
- Server-Side Authorization Checks:
- Explicit server-side checks must be implemented to ensure users can only access endpoints and perform actions allowed by their roles.
- Role-based permissions should be verified against access control lists (ACLs).
- Access Control Policies:
- Strict role-based access control (RBAC) must be enforced across the application to limit access to sensitive functionalities.
- Roles and permissions need to be clearly defined and properly implemented.
- Audit and Testing:
- Conduct regular security audits and penetration testing to identify and fix privilege escalation vulnerabilities.
- Validate access controls during code reviews and testing phases to ensure security gaps are addressed proactively.
Our team has discussed and raised the issue as a ticket. Then we put forward the above implementation to the developers, and we sat down to take immediate action on the console, discussing the relevant measures applicable to the company and the development team.
For our good, we were able to implement RBAC to the application, and as it was a critical vulnerability, we implemented it really quickly with all our team members. With cooperative efforts, we were able to fix the issue.