Here’s how I gained the access to Millions of Death Certificates by discovering 3 vulnerabilities. I hacked a state government website, Chained BAC+IDOR to access millions of death certificates.
If you’re not familiar with my work, you might wanna check out some other pieces I wrote. This one is very interesting as it chains 3 Vulnerabilities and makes a Critical Impact. So On this state government website, we can Submit a request for a death certificate and also Download the pending Ones. I go about testing for normal bypass processes such as OTP rate limits previously I have had luck with this State website but this one was secure.
So I go the normal route and read through some .js files and test the application by registering an application. I get a registration ID that looks like this.
Here the ACK is for Acknowledgement and the Z is a special identifier probably a document which its stored. The xxxxxx is a number which we can manupilate by a digit example XXXXX1 and to my surprise it gives us other peoples Name and Place of death
This is a vulnerability in itself but can we chain it to maybe get their complete death certificate?
I get to work and I send this to the Proxy and intercept the Response to the Request. I find that it is leaking the Phone number. Another Vulnerability but let’s continue.
I found no way to download the cert even when it had an option to. I used my Extremely powerful Tool which you can learn about in this ARTICLE to get the URLs. One of them stood out
Here I tried to enter the EncodedID and guess what?
The Cert Download as a PDF file.
I tried to estimate the number of people this vulnerability impacted, it was in the millions so it had to be mitigated quickly. I reported it to the Authorities. What can we take away from this? CHAIN vulnerabilities! That’s all. I love to hack governments, from UNITED NATIONS to Dutch Government, this has been my favorite.
Giveaway winners will be mailed the voucher for TryhackMe premium if they respond to this and are active
Signing Out — Ravaan:)