#mass_assignment — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #mass_assignment, aggregated by home.social.
-
🔍 OSINT
===================Executive summary: Researchers reported a security flaw in the FIA Driver Categorisation portal (driverscategorisation.fia.com) that permitted privilege escalation via an unauthenticated or insufficiently validated HTTP PUT payload. The issue surfaced when the API returned and accepted a roles JSON field during profile updates.
Technical details:
• The update endpoint observed in the report is PUT /api/users/{id} with a JSON request body containing fields such as id, email, firstName, lastName.
• The API response included additional properties not shown in the UI, for example birthDate, status, and a roles parameter.
• Based on the site JavaScript, role objects follow a structure like {"id":1,"description":"ADMIN role","name":"ADMIN"}. Submitting a roles array in the PUT body resulted in the account being granted the ADMIN role in the returned JSON.Analysis:
• The behavior indicates insufficient server-side filtering of assignable attributes (mass-assignment), allowing client-controlled elevation of role attributes.
• Exposure of profile fields (e.g., birthDate and secondary profile data) in responses suggests the API returns sensitive PII when queried or updated.
• Privileged role assignment (ADMIN) can enable expanded access to backend functionality and other users' records if the application enforces role-based access control based on that field alone.Limitations and scope:
• The reported evidence demonstrates role escalation on a test account and JSON fields containing PII. The source material is part 1 of a series and does not enumerate all accessed accounts or provide comprehensive IoCs beyond the endpoint and JSON attributes.
• No CVE identifiers or remediation timeline were provided in the source material.Detection considerations:
• Logs that record JSON payloads for PUT /api/users/* showing unexpected roles arrays could surface exploitation attempts.
• API response records returning PII fields to non-privileged contexts would be an observable indicator.References and provenance:
• Findings attributed to researchers Gal Nagli and Sam Curry as described in the published write-up (part 1 of 3).🔹 driverscategorisation #mass_assignment #privilege_escalation #pii #FIA
🔗 Source: https://ian.sh/fia