IDOR in api/mobile/preorders#preorder_attributes #9
Description
The api/mobile/preorders#preorder_attributes action fetches a Preorder object based on the external_id provided in the URL parameters (params[:id]) without checking if the authenticated user is authorized to access the fetched preorder. This allows any user who knows a valid external_id of a preorder in the authorization_successful or charge_successful state to view its attributes, potentially exposing sensitive information like the associated user and purchase IDs.
Reproduction Steps:
- Obtain a valid
external_idfor a preorder that is in either theauthorization_successfulorcharge_successfulstate. - As an authenticated user (who does not own the preorder), send a GET request to
/mobile/preorders/preorder_attributes/:id, replacing:idwith the obtainedexternal_id.
Exploitation:
An attacker can exploit this by iterating through potential external_id values or using a known valid ID to access preorder details they are not authorized to view. The response includes data from the mobile_json_data method, which contains potentially sensitive information such as user_id and purchase_id.
Proof of Concept (Conceptual):
Assuming an attacker knows a valid external_id (e.g., abc123xyz) for a preorder they do not own:
curl -X GET "https://gumroad.com/mobile/preorders/preorder_attributes/abc123xyz" -H "Authorization: Bearer [attacker's_auth_token]"The response would contain the details of the preorder with external_id abc123xyz, regardless of whether the authenticated user is the owner or has any association with it.