Cross-Partner Invoice Read Exposes Years of Financial Records

The Vulnerability

The company runs a partner portal where venues and event organisers manage their listings and view invoices. Partners get tenant-scoped accounts that are supposed to see only their own data.

Two flaws combined:

• The public group-tickets signup form minted a real low-privilege partner manager account inside a default organisation, with no captcha, no invitation token, no approval. Anyone could obtain a valid bearer token for the portal in under five minutes.
• The invoice listing endpoint at GET /api/partner/v1/partners/{partner_id}/invoices/ required a bearer token but failed to verify that the caller's token actually belonged to the requested partner id. Roughly a third of probed partner ids returned full invoice listings to a token bound to an unrelated organisation.
• Each invoice listing entry contained a direct link to the PDF on a public storage host. The PDF host did not require any authentication at all. Once the URL was known, the PDF opened in any browser with no session.

The Attack

1. Open the public group-tickets signup form in a clean browser, fill in any details with a controlled email, submit. The form returns a new business id and user id.
2. Open the welcome email, click the create-password link, set a password.
3. Log in to the partner portal. The bearer token lands in localStorage.
4. Loop the bearer token through a list of partner ids. For each id that returns HTTP 200, parse the invoice listing.
5. Download each linked invoice PDF directly from the public storage host with no authorization header. The PDF renders in full.

What each invoice contained

• Partner legal entity name and registered address.
• Tax registration identifier.
• Itemized ticket sales by channel (box office, marketplace, partner integrations, group sales).
• The platform's per-channel fee structure and commission percentages.
• Gross revenue, total services charged, VAT, and net payout to the partner.
• For a festival partner: a five-figure negotiated commercial discount, plus the count of on-site cashless-payment hardware deployed at the venue.

The Impact

From a single fresh account, the researcher retrieved 316 invoices across 9 unrelated partners across multiple European and North American markets, with historical records back to 2017. Per-partner totals ranged from 1 invoice up to 147 for a single venue.

The combination is unusually damaging: it merges cross-tenant personal data, tax-grade financial records, and the company's own commercial pricing strategy in a single bug exploitable by any internet user.

Boundary checks confirmed the bug was a real authorization failure, not a public feed: unauthenticated requests to the same endpoint returned 401, and some partner ids consistently returned 401 to the test token, showing the scoping check existed but was broken on certain routes.

Remediation

• Scope the invoice listing endpoint strictly to the caller's verified partner membership. Reject unauthorized foreign partner ids at the API gateway before any database lookup runs.
• Audit every route under the same service for the same partial-scoping pattern. The inconsistency suggests an authorization decorator applied per-handler rather than globally.
• Replace static public PDF URLs with short-lived signed URLs bound to an authorized user and partner. UUIDs in filenames are not a security boundary once leaked through this API.
• Reconsider the self-service group-ticket signup flow. Even if the signup itself is desired, the resulting account should not be capable of querying tenant-scoped admin routes against arbitrary partner ids.