I was trying to book an appointment on a site a few months back and chanced upon a vulnerability that allows unauthenticated users of the site to retrieve person information that might not belong to them.
Brief description of the issue: It was possible to obtain a user’s full name and/or passport number with a known valid NRIC/FIN number by looking at JSON responses from the server. A malicious user could create a script and by specially crafting cURL requests, retrieve Personally identifiable information (PII) of the general public automatically. This can be done without first being authenticated via a login or similar mechanism. This issue could be mitigated by requesting for addition validation information such as the person’s date of birth or other personal data prior to retrieving user’s private data.
A sample cURL request below.
One could craft a script, replace the parameter in the red box with a list of valid NRIC/FIN numbers, send the requests and harvest personal information from the following JSON responses like the one shown below:
The relevant authorities have been contacted and the issue has now been fixed.