Exposure of Sensitive Information to an Unauthorized Actor in kcal-app/kcal


Reported on

Sep 27th 2021


An attacker can view the foods and other informations in the application through direct call to api functions without any authenication

Proof of Concept

Step 1 ) Go to http://demo.kcal.cooking/api/v1/foods?page[number]=1&page[size]=12

Now we can see the entire food and recipes lists that present in the application


Authenication bypassed and exposed the information due to lack of restriction for api functions.

We have contacted a member of the kcal-app/kcal team and are waiting to hear back 2 years ago
Christopher Charbonneau Wells validated this vulnerability 2 years ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells marked this as fixed with commit 0f2d05 2 years ago
Christopher Charbonneau Wells has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation