New Exploitable BOLA Found in Immich (self-hosted media platform)

News

Full disclosure I’m at Escape but wanted to share something we found that would be interesting to those here! Escape’s security research team found a Broken Access Control flaw in Immich which let any user read photos in a locked folder without the required PIN. Immich is a self-hosted media platform with 100k+ stars on GitHub. Their “locked folder” hides sensitive assets behind a PIN-elevated session. What we found: Four of the five search endpoints enforce that; POST /search/random doesn’t. If you send it with the visibility field simply omitted and it returns the caller’s locked assets from a session that never entered the PIN, and, with a partner relationship, the partner’s locked assets too. If you’re interested in how we did it or how you can reproduce it yourself the full breakdown with reproduction instructions is linked! And if anyone has any questions we would love to answer them. submitted by /u/EscapeSecurity [link] [comments]Technical Information Security Content & DiscussionRead More