Staples Canada – The IDOR that just kept giving

Some of you are probably wondering, WHAT ON EARTH IS IDOR? IDOR, or insecure direct object reference, is a common vulnerability that is sometimes misunderstood by even some of the most seasoned security professional. The basic concept is that a user-controlled parameter is used to directly reference and access a resource, but the application does not first validate that the requester is authorized to access said resource.

As a simple example, take the URL below, which is sent to retrieve the tax records for a user with a SIN (social insurance number) of 123456789:

At a quick glance, you can probably guess what tax documents you might be able to grab if you change the SIN value. By simply guessing or knowing valid SIN numbers, a hacker could grab the tax records belong to other users without the right access controls in place. This is IDOR in a nutshell – an access control flaw that allows a hacker to use a user-controllable parameter to directly access a resource.

Staples Canada – SolutionShop

In May 2022, Proack began a simple research project to identify online printing shops that:

  1. Have IDOR vulnerabilities that exposed documents and photos of their customers without doing proper access control checks; and
  2. Only soft delete user images & documents (saving for another post).

On day one, we found not only did Staples Canada have an unauthenticated IDOR vulnerability on their SolutionShop platform, but their resources were named sequentially (fs3t-ps1_12358203), which made it significantly easier to exploit (than say, using a random GUID without proper access controls, which is security through obscurity!). Here are some examples of documents we found:

  • Passports
  • PR card
  • Canada Post shipping labels
  • ADP earning statements
  • Email threads
  • Resumes
  • Bank & other financial statements
  • Product installation instructions including usernames and passwords

We immediately reached out to Staples Canada on May 10, 2022; however, they were not very receptive to our findings. Despite this, we worked in good faith and provided all the information we had on hand at the time as to where the vulnerability was and how it could be exploited.

To our surprise (some not surprised), this vulnerability persisted and remained active during our entire responsible disclosure window of 90 days. We reached out several times to get an ETA for a fix, but the response we got from Staples Canada was that their vendor (Ricoh) was working on it.

Fast forward to August 9, 2022 (public disclosure deadline), a fix had yet to be implemented. Staples Canada reached out requesting we hold off public disclosure as a fix was being rolled out on August 11. Of course, we would hold releasing the details of this vulnerability, given how easy it was to exploit. Then radio silence from Staples Canada.

A few weeks later, we checked, and the IDOR remained, except now you just needed to be logged in. You can be logged in as user A and access files belonging to user B. Here is a sample POC:

We also happened to find another IDOR vulnerability that provided a PDF copy of the user’s document (better resolution and every single page of an uploaded document). Here is a sample POC:

After a bit of back and forth internally, we decided to reach back out to Staples Canada on September 1, 2022, informing them that they were still exposing their customer data, and provided the details of how their attempted “fix” failed and the additional vulnerable endpoint.

On September 2, 2022, we received a call from Staples Canada requesting we hold off public disclosure, until they implement a fix; however, as of September 4, 2022, it appears that they fixed the first IDOR by properly verifying the document requested belongs to the requestor. The second IDOR also looks to have been removed, as the vulnerable feature was completely replaced with a manual workflow forcing users to email in their documents for printing.

Disclosure timelines

Staples Canada does not have a bug bounty program or a method to disclose vulnerabilities responsibly; however, our findings were reported as per industry best practices:

  • May 10, 2022: Vulnerability details provided to Staples Canada’s security team.
  • May 13, 2022: Requested an updated as no response was received from Staples Canada. A response was received from Staples Canada indicating they are having a follow-up call with their vendor next week.
  • June 16, 2022: Requested an updated as no response was received from Staples Canada.
  • June 29, 2022: Response received from Staples indicating their vendor was working on a solution. Proack requested an ETA, but none was given.
  • August 9, 2022: Received a call from Staples requesting public disclosure be delayed until August 11, 2022 to allow for a fix to be implemented, which we agreed to do.
  • September 1, 2022: Email sent to Staples Canada indicating the original IDOR vulnerability was not fixed and that an additional endpoint was found.
  • September 2, 2022: Received a call from Staples Canada requesting public disclosure be delayed until a fix was implemented.
  • September 4, 2022: Proack observed that the original IDOR vulnerability is fixed. The second IDOR vulnerability was “removed”, as the feature has been completely replaced by a manual workflow.
  • September 7, 2022: Public disclosure.