cross-posted from: https://lemmy.dbzer0.com/post/65115248
Broken Function Level Authorization in Enterprise Campus Recruitment: A Case Study in BFLA and DPDP Compliance.
Recently, I audited the frontend architecture of Superset, a recruitment SaaS utilized by major Tech and Big Four firms and identified a critical exposure.
Here is the technical breakdown of the authorization failure:
Metadata Leakage The platform secures “unlisted” job links using UUIDv4s. However, rendering a public company registration page triggers a background API call for branding metadata. Despite developers using a silent=true parameter to hide this in the UI, basic network telemetry captures the request, exposing the Master Tenant UUID (companyCode).
The Lateral Pivot Using the leaked companyCode, I queried the public enumeration endpoint: /tnpsuite-core/public/companies/[companyCode]/job-profile-outlines
BFLA Bypass The API lacks token verification. It blindly trusts the companyCode and returns an unauthenticated JSON array containing hiring outlines for the 2025 and 2026 cycles.
The exposed JSON schema included:
• ctcMin, ctcMax, fixedPay (Proprietary compensation structures)
• publiclyVisible: false (Allowing a temporal bypass to view future vacancies)
• userType: COMPANY_USER including full names and emails of HR leads (A severe compliance violation under Section 8 of the DPDP Act).
Remediation & Next Steps: Complex URLs are not authorization boundaries. Security requires strict logic checks at the function level.
I have privately briefed our affected campus partners so they can initiate vendor-risk remediation. This public disclosure is heavily sanitized strictly to highlight the DPDP compliance gaps in HR tech architecture.
#CyberSecurity #AppSec #BFLA #RiskManagement #DPDP #ThreatIntel #OpenToWork
cc: Superset Data Security Council of India (DSCI) OWASP® Foundation ISACA
My nephew did this. Is he in legal trouble idk Indian law.?