User information disclosed via API endpoint

1 min readJan 8, 2025

Summary:

It appears that the requests for “system accounts” are fully available via an API endpoint that does not require authentication.

The main issue is that among the information disclosed are user ( “uid, name, address,phone Number, street, streetNumber, apartment, zipCode, city, , geoLocation, latitude, longitude, distance, slug )

Steps To Reproduce:

Navigate to the following URL: https://mijn.gamma.be/api/session-data/nearby-stores/201

note You can change pages 201–243 one by one. like

Here is an example object of what is returned from the endpoint:

[{“uid”:”668",”name”:”GAMMA Hasselt-Runkst”,”address”:{“street”:”Runkstersteenweg”,”streetNumber”:”245",”apartment”:””,”zipCode”:”3500",”city”:”HASSELT”,”phone”:”+32 11 283666"},”geoLocation”:{“latitude”:50.925085,”longitude”:5.3197},”distance”:2.93373162280325,”slug”:”hasselt-runkst”},{“uid”:”835",”name”:”GAMMA Genk-Hasseltweg”,”address”:{“street”:”Hasseltweg”,”streetNumber”:”196",”apartment”:””,”zipCode”:”3600",”city”:”GENK”,”phone”:”+32 89 410370"},”geoLocation”:{“latitude”:50.960724,”longitude”:5.454175},”distance”:7.86430226333355,”slug”:”genk-hasseltweg”},{“uid”:”237",”name”:”GAMMA Genk Driehoeven”,”address”:{“street”:”Gieterijstraat”,”streetNumber”:”8",”apartment”:””,”zipCode”:”3600",”city”:”GENK”,”phone”:”+32 89 842473"},”geoLocation”:{“latitude”:51.004547,”longitude”:5.491984},”distance”:12.1961682415492,”slug”:”genk-driehoeven”}]

Supporting Material/References:

Hackerone report: https://hackerone.com/reports/1218461

Impact :

A threat actor could view personal information about users on the platform.

It is also theoretically possible that a threat actor could use information gathered from this endpoint to identify future targets and footholds

User information disclosed via API endpoint

Summary:

Written by MkNayek

No responses yet