Dot.Cards

Insecure direct object references vulnerability allows users to access data through user-supplied inputs without proper authorization checks.

• View personal data such as date of birth and gender for any user.

• View private profiles of users that contain sensitive data such as addresses, phone numbers, and emails.

• View Dot.Cards Google Firebase databases.

• Unauthorized activation of any Dot.Card product.

• Dot.Cards used the Next.js framework, which outputs a global object called __NEXT_DATA__ on public profile pages. This object included sensitive metadata such as profileID, full date of birth, and identity-related details. Because this data was publicly accessible in the page source, any unauthenticated user could extract it and potentially use it for further exploitation.

• Each user profile was assigned a unique profileID that linked to their digital business card. These IDs were exposed through __NEXT_DATA__ and could be manually guessed or enumerated. By altering the profileID in specific requests, it was possible to access the profiles of other users, including private profiles, without authorization.

• Dot.Cards offered an option to disable public access to a user’s profile. It could still be accessed directly by referencing its profileID. This bypassed intended privacy settings and allowed retrieval of sensitive information from profiles that were supposed to be hidden from public view.

• In addition to the profile vulnerabilities, a flaw was discovered that allowed attackers to activate Dot.Card products without purchasing or physically possessing them. Cards intended for specific users could be activated under different accounts, rendering the original products unusable. This vulnerability also introduced opportunities for phishing by enabling the creation of fake or spoofed Dot.Cards.