[EN] Sensitive Data Exposure via JSON-RPC (Whistleblowing Channel)

Censorship Note: All data (domains, paths, URIs, JSON-RPC methods, variable names, corporate Tax IDs, emails, and company names) have been strictly anonymized using entirely fictional nomenclature (e.g., dashboard.internal-sec.com). This report is a simulated environment to guarantee 100% privacy for the affected program.

This writeup details a critical Information Disclosure vulnerability within a corporate Whistleblowing management platform.

An unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.

Vulnerability Analysis

The flaw centered on a server-side JSON-RPC service that fed the graphical interface. Its actual intended purpose was to list the different available configuration "categories" through this endpoint:

POST /api/v1/services/CoreConfigService.json HTTP/1.1
Host: dashboard.internal-sec.com

The security breach combined two major errors:

1. Lack of Access Control: There was no session validation (Cookies) or authorization headers required to process this specific request.
2. Data Over-Exposure (Reverse Mass Assignment): The backend failed to filter attributes at the database level. Instead of sending only what the main screen needed to read, the server proceeded to read the entire database object related to the "Channel" and dumped that massive data tree into the HTTP response directed to the client.

The Payload (PoC)

The attack was entirely straightforward. It consisted of intercepting the request and manipulating the original JSON payload, altering the logic parameter that invoked internal methods on the endpoint (which we will figuratively call getChannelConfigDetails).

The attacker only needed to send the following request anonymously from any REST client or terminal: