FirstBlood-#1481 — PII of doctors leaked through /api/doctors.php
This issue was discovered on FirstBlood v3
On 2022-12-10, 0xblackbird Level 5 reported:
I found out that
/api/doctors.phpreturned all PII of any doctor.
Since the endpoint wasn't referenced anywhere on the web interface, developers may have thought that it isn't a big deal. However they may have underestimated that content discovery through bruteforcing is still a thing.
I was able to leak private PII of doctors as an unauthorized user.
Steps to reproduce:
/api/doctors.phpshould list you all the registered doctors PII
I recommend restricting access to this endpoint to only allow privileged users to read such sensitive data.
Have a nice day.
FirstBlood ID: 66
Vulnerability Type: Information leak/disclosure
It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed.