The api/mobile/preorders#preorder_attributes action fetches a Preorder object based on the external_id provided in the URL parameters (params[:id]) without checking if the authenticated user is authorized to access the fetched preorder. This allows any user who knows a valid external_id of a preorder in the authorization_successful or charge_successful state to view its attributes, potentially exposing sensitive information like the associated user and purchase IDs.
Reproduction Steps:
- Obtain a valid
external_id for a preorder that is in either the authorization_successful or charge_successful state.
- As an authenticated user (who does not own the preorder), send a GET request to
/mobile/preorders/preorder_attributes/:id, replacing :id with the obtained external_id.
Exploitation:
An attacker can exploit this by iterating through potential external_id values or using a known valid ID to access preorder details they are not authorized to view. The response includes data from the mobile_json_data method, which contains potentially sensitive information such as user_id and purchase_id.
Proof of Concept (Conceptual):
Assuming an attacker knows a valid external_id (e.g., abc123xyz) for a preorder they do not own:
curl -X GET "https://gumroad.com/mobile/preorders/preorder_attributes/abc123xyz" -H "Authorization: Bearer [attacker's_auth_token]"
The response would contain the details of the preorder with external_id abc123xyz, regardless of whether the authenticated user is the owner or has any association with it.
The
api/mobile/preorders#preorder_attributesaction fetches aPreorderobject based on theexternal_idprovided in the URL parameters (params[:id]) without checking if the authenticated user is authorized to access the fetched preorder. This allows any user who knows a validexternal_idof a preorder in theauthorization_successfulorcharge_successfulstate to view its attributes, potentially exposing sensitive information like the associated user and purchase IDs.Reproduction Steps:
external_idfor a preorder that is in either theauthorization_successfulorcharge_successfulstate./mobile/preorders/preorder_attributes/:id, replacing:idwith the obtainedexternal_id.Exploitation:
An attacker can exploit this by iterating through potential
external_idvalues or using a known valid ID to access preorder details they are not authorized to view. The response includes data from themobile_json_datamethod, which contains potentially sensitive information such asuser_idandpurchase_id.Proof of Concept (Conceptual):
Assuming an attacker knows a valid
external_id(e.g.,abc123xyz) for a preorder they do not own:The response would contain the details of the preorder with
external_idabc123xyz, regardless of whether the authenticated user is the owner or has any association with it.