Startup launches a web service. Users’ pages are at startup.com/users/$USERNUMBER.
Editing $USERNUMBER in the browser address bar lets you access any other user’s page.
Accessing a user’s page gives you not only their account, but their Amazon Web Services secret keys… while trusting Amazon isn’t particularly smart either, at least you can encrypt stuff if you must use AWS.
Quote from the comments:
“Sadly, as a penetration tester I come across issues like these very often. ID enumeration is a classic.”
Two lessons: Never trust an organization — verify things if you must do business with them, and put in your own security measures to cover yourself when theirs fail. And if the company hasn’t had time to work out the bugs, assume those failures will be epic.
“The important part here is to note that if I had filled out an AWS access key ID and AWS secret access key previously, the entire key would be visible on this screen. So while only the last few characters are visible from the account view, the entire key is visible from the edit view. It’s worth noting that the edit option is available for any user account and can be accessed by anyone.
This means that by going to /users/1/edit and /users/2/edit, you could edit the details of the two founders of Ice Box Pro. From here you can reset their password, login as them, and get access to any file they backed up. Even worse it gives you access to their AWS keys.”