CVE-2022-24187 is a high-severity vulnerability classified as an Insecure Direct Object Reference (IDOR) affecting the Ourphoto App version 1.4.1, specifically its /device/* endpoints. The vulnerability arises because the application does not properly enforce access controls on the user_id and device_id parameters. An attacker can enumerate these identifiers by incrementing or decrementing their numeric values, thereby accessing data belonging to other users without authorization. This flaw allows unauthorized disclosure of sensitive information, including end-user email addresses and unique frame_token values associated with each user. The frame_token likely serves as an authentication or session token for accessing user-specific resources, so its exposure could facilitate further unauthorized access or impersonation. The vulnerability has a CVSS v3.1 base score of 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. The weakness corresponds to CWE-639, which involves authorization bypass through improper validation of object references. No patches or known exploits in the wild have been reported to date. The vulnerability was published on November 28, 2022, and has been enriched by CISA, highlighting its significance. Overall, this vulnerability enables attackers to harvest sensitive user data by exploiting predictable identifiers without authentication or user interaction, posing a serious privacy risk to affected users and organizations relying on the Ourphoto App for photo management or sharing.

For European organizations using the Ourphoto App, this vulnerability poses significant privacy and data protection risks. Unauthorized access to email addresses and frame_tokens can lead to targeted phishing attacks, identity theft, and unauthorized access to user accounts or resources. Given the sensitivity of personal data under GDPR, exposure of such information could result in regulatory penalties and reputational damage. Organizations that integrate Ourphoto App into their workflows or customer-facing services may inadvertently expose their user base to data leakage, undermining trust and compliance obligations. The ability to enumerate user and device IDs without authentication means that attackers can systematically harvest large volumes of sensitive data, increasing the scale of potential breaches. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach alone is critical, especially for sectors handling sensitive personal or corporate data such as healthcare, finance, and government agencies. Additionally, the exposure of frame_tokens could enable attackers to impersonate users or escalate privileges if these tokens are used for authentication or session management, further amplifying the risk.

To mitigate this vulnerability, organizations should implement strict access control checks on all user_id and device_id parameters within the Ourphoto App endpoints, ensuring that users can only access their own data. This includes validating the ownership of requested resources against the authenticated user's identity before returning any information. Employing non-predictable, opaque identifiers (e.g., UUIDs or random tokens) instead of sequential numeric IDs can significantly reduce the risk of enumeration attacks. Additionally, the application should enforce authentication and authorization mechanisms on all sensitive endpoints, preventing unauthenticated access. Regular security code reviews and penetration testing focused on IDOR vulnerabilities should be conducted to identify and remediate similar issues. Organizations should monitor network traffic for unusual enumeration patterns and implement rate limiting or anomaly detection to hinder automated attacks. If possible, update the Ourphoto App to a patched version once available or apply vendor-provided security updates promptly. Finally, organizations should educate users about phishing risks and monitor for suspicious activities related to compromised frame_tokens or email addresses.