How I Discovered a Critical Vulnerability in a Message Tracking System

4 min readJun 14, 2024

Bug Title: Unauthorized Access and Download of Messages in Message Delivery Tracking System
CVSS v4.0 Score: 8.3 / High
URL: https://example.com/

Imagine logging into your account on a trusted website, only to find that a simple tweak in the URL can expose confidential information from other users. This was the startling discovery I made while exploring the message delivery tracking system of a well-known application. Here’s the story of how I uncovered a critical vulnerability that shook the system.

It was a typical day for me, as I often spend my time hunting for security bugs in popular web applications. On this particular day, I was logged into the e-DOC site of Example.com, a platform used by organizations to send and track important messages. I was in the sent message section, reviewing my recently sent messages, when curiosity got the better of me. I noticed the URL contained a parameter labeled File NO.

In a moment of experimentation, I decided to change the File NO value in the URL from AA0017 to AA0027. To my surprise, pressing Enter loaded a different message—one that belonged to another user. Not only could I view this message, but I could also download it. This unintentional yet significant discovery highlighted a glaring security gap.

Steps to Reproduce:

Navigate to the sent message section (e.g., https://example.com/sent/).

Click on "track" for your message.

Press Enter.

Observe that the message for the new File NO is displayed and can be downloaded.

The Vulnerability:

My simple experiment revealed a major flaw: the system did not restrict access based on user authorization. Instead, it relied solely on the File NO parameter, a numeric value easily manipulated in the URL. This oversight allowed anyone with a basic understanding of URLs to access confidential messages of other users.

Expected vs. Actual Result:

Expected Result: The system should restrict access to messages such that only authorized users can view and download their own messages. Changing the File NO parameter should not grant access to messages of other users.

Actual Result: Changing the File NO parameter in the URL allowed unauthorized access to messages intended for other users, which could also be downloaded without proper authorization.

Impact:

Confidentiality Breach: Users could access and download messages of other users, potentially exposing sensitive information.
Data Integrity Risk: Unauthorized users could misuse the information obtained from other users' messages.

Environment:

Operating System: Windows 11 Home Single Language
Version/Build: 22H2
OS Build: 22621.3235
Browser/Client: Firefox Nightly
Version/Build: Version 125.0a1 (2024-03-17) (64-bit)

Suggested Fix:

To prevent such vulnerabilities, I suggested the following fixes:

Implement Access Control: Ensure that the backend verifies the user's authorization before displaying or allowing the download of any message. Each request should validate that the current user has the right to access the message identified by the File NO.
Parameter Validation: Use a more secure method for identifying messages, such as session-based tokens or encrypted identifiers, rather than simple numeric parameters in the URL.
Logging and Monitoring: Log any unauthorized access attempts and monitor them for potential abuse patterns.

I reported my findings to Example.com, hoping for a swift resolution to this critical issue. My dedication to cybersecurity and responsible disclosure highlights the importance of vigilant security practices in our increasingly digital world.

Reported By:
Adarsh Kumar (aka @adarshkrdubay)

My discovery serves as a reminder: always question, always test, and always protect.