Submit #708176: youlai-mall latest Improper Control of Resource Identifiersinfo

Titelyoulai-mall latest Improper Control of Resource Identifiers
Beschreibung# youlai-mall improper access control and business logic flaw exposes mobile→memberId mapping via GET /mall-ums/app-api/v1/members/mobile/{mobile}, enabling horizontal privilege escalation and unauthorized operations on victim accounts ## Contributors: Huang Weigang ### 1. Vulnerability Impact - youlai-mall (latest) - `https://github.com/youlaitech/youlai-mall` ### 2. Vulnerability Location - GET `/mall-ums/app-api/v1/members/mobile/{mobile}` ### 3. Code Analysis - File: `mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java` - Route and method: - `@GetMapping("/mobile/{mobile}")` - `public Result<MemberAuthDTO> getMemberByMobile(@PathVariable String mobile) {` - ` MemberAuthDTO memberAuthInfo = memberService.getMemberByMobile(mobile);` - ` return Result.success(memberAuthInfo);` - `}` - Service: `mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/service/impl/UmsMemberServiceImpl.java` - `public MemberAuthDTO getMemberByMobile(String mobile) {` - ` UmsMember entity = this.getOne(new LambdaQueryWrapper<UmsMember>()` - ` .eq(UmsMember::getMobile, mobile)` - ` .select(UmsMember::getId, UmsMember::getMobile, UmsMember::getStatus))` - ` ...` - ` return memberConvert.entity2MobileAuthDTO(entity);` - `}` - Issues: - No ownership check (missing validation that the provided `mobile` belongs to the current logged-in member, e.g., binding `mobile` to `SecurityUtils.getMemberId()`). - No role/permission control (no `@PreAuthorize`; any authenticated App user can query arbitrary `mobile` numbers). - Overexposed authentication data (returns `MemberAuthDTO` including `id/mobile/status` and `username = mobile`, enabling account existence mapping). - Supports horizontal privilege escalation (attacker supplies victim's `mobile` and gains victim's `memberId`, fueling subsequent IDOR/BOLA attacks). - Privacy violation (mobile phone numbers are sensitive PII; exposing the mapping enables targeted harassment and social engineering). - Lacks enumeration/rate-limiting and auditing (distinct error code `USER_NOT_EXIST` can be used to validate and enumerate mobile numbers at scale). ### Vulnerability Reproduction -- Preconditions - Attacker has a valid App login token (`Authorization: Bearer <token>`). - Victim's `mobile` number is known or discoverable (public profiles, social media, data breaches, brute-force enumeration). - Target Endpoint: `GET /mall-ums/app-api/v1/members/mobile/{mobile}` -- Steps (horizontal privilege escalation: fetch another user's auth info) - Log in as User A and obtain a valid token. - Call the endpoint with User B's `mobile` number: - `curl -X GET -H "Authorization: Bearer <token>" "https://<gateway>/mall-ums/app-api/v1/members/mobile/13800138000"` - Observe a 200 OK response, for example: - `{"code":"00000","data":{"id":12345,"username":"13800138000","status":1},"msg":"一切ok"}` - Outcome: Without any ownership validation, the attacker can learn the `memberId ↔ mobile` mapping for the victim, enabling targeted abuse against other vulnerable App endpoints (balances, orders, addresses) that rely on predictable IDs. -- Example request/response log (reference) - "data": { - "request_data": { - "method": "GET", - "url": "`http://10.15.196.160:9999/mall-ums/app-api/v1/members/mobile/13800138000`", - "params": {}, - "json": {}, - "data": {}, - "files": {} }, - "response_data": { - "code": "00000", - "data": {"id": 12345, "username": "13800138000", "status": 1}, - "msg": "一切ok" } }, - "test": { - "request_data": { - "method": "GET", - "url": "`http://10.15.196.160:9999/mall-ums/app-api/v1/members/mobile/13800138000`", - "params": {}, - "json": {}, - "data": {}, - "files": {} }, - "response_data": { - "code": "00000", - "data": {"id": 12345, "username": "13800138000", "status": 1}, - "msg": "一切ok" } } ### 4. Impact Description - Unauthorized authentication data disclosure - Any logged-in user can retrieve another user's `MemberAuthDTO` via `mobile`, exposing `memberId` mapping and privacy-sensitive identifiers. - Horizontal privilege escalation enabler - The `memberId ↔ mobile` mapping powers subsequent IDOR/BOLA attacks on balance, order, and address endpoints, dramatically lowering attack complexity. - Privacy violation and PII exposure - Mobile phone numbers are highly sensitive personal information; this endpoint enables unauthorized linking of phone numbers to internal account IDs. - Account existence enumeration - Distinct success/error responses allow attackers to validate mobile numbers at scale, facilitating user profiling, targeted phishing, and social engineering. - Compliance and regulatory risk - Exposing mobile number to account mapping without proper authorization violates privacy regulations (GDPR, CCPA, PIPL) and data protection best practices. - Expanded attack surface and chain amplification - When chained with other horizontally vulnerable endpoints (e.g., balance deduct, order delete/pay), attackers can systematically manipulate victim accounts using only their phone numbers. - Harassment and social engineering enabler - Attackers can use this endpoint to confirm account existence and then launch targeted SMS phishing, harassment campaigns, or account takeover attempts. - System trust erosion - Authentication-related interfaces should be restricted or internal-only; current design blurs identity-resource boundaries and undermines security posture.
Quelle⚠️ https://github.com/Hwwg/cve/issues/27
Benutzer
 huangweigang (UID 88993)
Einreichung07.12.2025 07:03 (vor 6 Monaten)
Moderieren25.12.2025 10:50 (18 days later)
StatusAkzeptiert
VulDB Eintrag338414 [youlaitech youlai-mall 1.0.0/2.0.0 MemberController.java getMemberByMobile erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!