Summary
Fix a broken access control vulnerability where authenticated users can attach another user's platform links to their own DevCard profile by supplying arbitrary platformLink IDs.
This allows profile impersonation and violates ownership guarantees across public cards.
Contexts
cards.ts accepts linkIds from the client and directly creates CardLink records without validating ownership.
Currently, any authenticated user can:
- fetch another user's public profile,
- obtain exposed
platformLink IDs,
- create/update a card using those IDs,
- display another user's verified social profiles as their own.
Affected areas:
apps/backend/src/routes/cards.tsapps/backend/src/routes/public.ts
Example vulnerable pattern:
Summary
Fix a broken access control vulnerability where authenticated users can attach another user's platform links to their own DevCard profile by supplying arbitrary
platformLinkIDs.This allows profile impersonation and violates ownership guarantees across public cards.
Contexts
cards.tsacceptslinkIdsfrom the client and directly createsCardLinkrecords without validating ownership.Currently, any authenticated user can:
platformLinkIDs,Affected areas:
apps/backend/src/routes/cards.tsapps/backend/src/routes/public.tsExample vulnerable pattern:
platformLinkId: linkId