Comment by justusthane
6 days ago
> Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant
Not really? The vulnerability might not have been discovered if that was the case, but it doesn’t change the fact that anyone who has access to the system can gain access to all of the data in the system, right?
Perhaps I misunderstood, but I read it that the account they got access to was a highly privileged account, which did have general access to all data.
The report didn't make it clear to me if an unauthorised user, or an account with low privilege can still access data they otherwise should not have access to.
If this is true, then I agree it is an IDOR, but I read it as they had access because of their current context.
> It turned out we had become the administrator of a test restaurant inside the McHire system.
I don’t think you would expect the administrator of a single restaurant to have access to the data of all 64M applicants globally