{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/red-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Red Agent"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["business-logic-flaw","authorization-bypass","api-security","red-team","data-collection"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eWiz's \u0026quot;Red Agent,\u0026quot; an autonomous AI pentesting system, identified a critical business-logic flaw within a leading B2B platform's data API. This vulnerability allowed any free-tier user to bypass the platform's paywall and access premium, unmasked contact information for over 600 million profiles without expending credits. The flaw stemmed from the backend's failure to validate user entitlements before honoring a client-controlled parameter, \u003ccode\u003eunmaskContactData: true\u003c/code\u003e, which was meant to be exclusive to paid tiers. This misconfiguration meant the server implicitly trusted client input, enabling widespread data exfiltration by manipulating a single boolean value in API requests. The platform's security team promptly remediated the issue within hours of the report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance and Bundle Analysis:\u003c/strong\u003e The Red Agent began by mapping the application's API surface, analyzing over 130MB of client-side JavaScript bundles to extract over 100 distinct API endpoint paths, including internal data operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAPI Endpoint Identification:\u003c/strong\u003e Specific internal data API endpoints were identified, such as \u003ccode\u003ePOST /api/internal/data/hPeopleSearch\u003c/code\u003e, \u003ccode\u003ePOST /api/internal/data/hPersonLookup\u003c/code\u003e, and \u003ccode\u003ePOST /api/internal/data/hUnifiedSearch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHypothesis Generation \u0026amp; Schema Reverse-Engineering:\u003c/strong\u003e Through analysis of request/response schemas embedded in the frontend codebase, the agent identified a boolean parameter, \u003ccode\u003eunmaskContactData\u003c/code\u003e, which was referenced in the code but not used in standard free-tier search flows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFormulation of Hypothesis:\u003c/strong\u003e The agent hypothesized that because the frontend was aware of this flag, the backend likely accepted it, and tested whether the server would validate user entitlements before honoring the flag, or blindly trust client input.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBaseline Measurement:\u003c/strong\u003e A normal search request was performed from a free-tier account, confirming that data masking was active and functioning as intended under standard operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation via Parameter Injection:\u003c/strong\u003e The agent replayed the exact same search request but injected the \u003ccode\u003eunmaskContactData: true\u003c/code\u003e flag into the JSON payload of the API request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization Bypass:\u003c/strong\u003e The server accepted the injected flag without checking the user's credit balance or tier entitlements, returning the records fully unmasked, thus bypassing the paywall.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe identified business logic flaw allowed free-tier users to access critical, unmasked data for over 600 million business profiles. This included business email addresses for all 600 million contacts, over 135 million verified direct phone numbers, personal email addresses for approximately 50% of records, and comprehensive company intelligence (revenue, headcount, addresses). The vulnerability fundamentally compromised the platform's primary authorization and monetization controls, enabling data to be retrieved at scale without payment. While quickly remediated by the platform's security team, such a flaw could lead to massive data exposure, reputational damage, and significant financial losses if exploited by malicious actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement rigorous server-side validation for all client-controlled parameters, especially those that influence data access or authorization, to prevent authorization bypasses as observed with the \u003ccode\u003eunmaskContactData\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eConduct thorough security reviews and penetration testing specifically targeting business logic flaws, as traditional SAST/DAST tools often miss these subtle vulnerabilities.\u003c/li\u003e\n\u003cli\u003eEnsure that all entitlement, pricing, and access decisions are enforced server-side, per record, and are never inferred or solely reliant on client-side input.\u003c/li\u003e\n\u003cli\u003eDeploy API gateway or WAF logging capable of inspecting HTTP request bodies for unusual parameters or patterns, which would be necessary to detect \u003ccode\u003eunmaskContactData: true\u003c/code\u003e injections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T15:29:51Z","date_published":"2026-07-15T15:29:51Z","id":"https://feed.craftedsignal.io/briefs/2026-07-b2b-platform-logic-flaw/","summary":"An autonomous Red Agent discovered a critical business-logic flaw in a B2B platform's data API, allowing free-tier users to bypass the paywall and access premium, unmasked contact data for over 600 million profiles by adding a boolean flag, `unmaskContactData: true`, to standard API requests, due to the backend accepting client-controlled parameters without verifying user entitlements.","title":"B2B Platform Paywall Bypass via Client-Side Boolean Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-07-b2b-platform-logic-flaw/"}],"language":"en","title":"CraftedSignal Threat Feed - Red Agent","version":"https://jsonfeed.org/version/1.1"}