Exposure of Private Personal Information to an Unauthorized Actor (CWE 359)

From

Classified as non-critical

Discovery description

A potentially compromised user of a closed organization can retrieve the client key and the device ID via the browser’s development tools. This could be used to maliciously retrieve the respective URL with modified parameters and thus call up a listing of the users of the associated organization.

Assessment of the developer

The developer tends to regard this procedure as uncritical, since the information output is limited and there is a necessity for the transmitted data of the API. The data scope of the API is the mandatory information content that must be retained so that the clients remain functional. The API only outputs the information that a user is allowed to receive based on their respective assigned role and associated rights within their own organization(s). No other data is output beyond this.

Translated with www.DeepL.com/Translator (free version)