Compliance Impact

The vulnerability in BuddyPress 14.4.0 allows any authenticated attacker to enumerate another user's complete friend list due to an insecure direct object reference in the friends REST API. This results in the disclosure of users' private social connections.

Such unauthorized disclosure of private user information could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal data and ensuring user privacy. However, the provided context does not explicitly discuss compliance implications or regulatory impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the friends REST API endpoint with an arbitrary user_id while authenticated. If the API returns the friend list of the specified user without verifying ownership, the system is vulnerable.

A possible command to test this would be to send an authenticated HTTP GET request to the friends endpoint with different user_id values and observe if friend lists of other users are disclosed.

• Use curl to send an authenticated request: curl -H "Authorization: Bearer <token>" https://<your-site>/wp-json/buddypress/v1/friends?user_id=<target_user_id>
• Replace <token> with a valid authentication token and <target_user_id> with the ID of another user.

If the response contains the friend list of the target user, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the friends REST API endpoint to only allow users to query their own friend lists.

Ensure that the get_items_permissions_check method properly verifies ownership of the requested user_id before returning any data.

If a patch or updated version of BuddyPress is available that fixes this issue, apply it as soon as possible.

As a temporary measure, consider disabling the friends REST API endpoint or restricting it via firewall or access control rules until a fix is applied.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in BuddyPress 14.4.0 and is an insecure direct object reference issue in the friends REST API. It allows any authenticated attacker to retrieve the complete friend list of another user. The problem arises because the API's permission check only verifies that the requester is logged in, but does not verify whether the requester owns the friend list they are trying to access. As a result, private social connections of users can be disclosed to unauthorized users.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is the unauthorized disclosure of users' private friend lists. An attacker who is authenticated can enumerate and view the complete social connections of other users without permission. This can lead to privacy violations, potential social engineering attacks, and loss of user trust.

Useful 0 Not Useful 0