Exposure of Sensitive Information to an Unauthorized Actor in kcal-app/kcal


Reported on

Sep 27th 2021


An attacker can view the foods and other informations in the application through direct call to api functions without any authenication

Proof of Concept

Step 1 ) Go to http://demo.kcal.cooking/api/v1/foods?page[number]=1&page[size]=12

Now we can see the entire food and recipes lists that present in the application


Authenication bypassed and exposed the information due to lack of restriction for api functions.

We have contacted a member of the kcal-app/kcal team and are waiting to hear back a year ago
Christopher Charbonneau Wells validated this vulnerability a year ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on 0f2d05 a year ago
Christopher Charbonneau Wells has been awarded the fix bounty
to join this conversation