Full Report
Part 3: How the Red Agent bypassed a credit and paywall system by changing a single client-side value from false to true.
Analysis Summary
The following is a summary of the vulnerability discovered by the Wiz Red Agent as described in the provided article.
# Vulnerability: Unauthorized Credit and Paywall Bypass via Client-Side Logic Flaw
## CVE Details
- **CVE ID:** Not Assigned (This is a business-logic flaw in a proprietary B2B platform).
- **CVSS Score:** N/A (Estimated Critical based on data exposure).
- **CWE:** CWE-639: Authorization Bypass Through User-Controlled Key; CWE-840: Business Logic Errors.
## Affected Systems
- **Products:** An undisclosed leading B2B data platform.
- **Versions:** Production environment as of the research date (July 2026).
- **Configurations:** Systems utilizing client-side metadata to govern server-side data masking and entitlement enforcement.
## Vulnerability Description
The vulnerability is a **Business Logic Flaw** residing in the platform’s API. The platform uses a credit-based system to mask sensitive PII (emails and phone numbers) for free-tier users.
Technical analysis revealed that the backend API endpoints (such as `hPeopleSearch` and `hPersonLookup`) accepted an undocumented boolean flag—derived from frontend JavaScript bundles—that controlled the "unmasking" of contact data. The backend server failed to perform an independent server-side verification of the user's credit balance or subscription level before honoring this flag. By manually injecting the flag (e.g., `unmaskContactData: true`) into the API request, an attacker could force the server to return cleartext data without deducting credits.
## Exploitation
- **Status:** Identified by researchers; addressed by the vendor.
- **Complexity:** Low (Requires simple modification of a JSON request body).
- **Attack Vector:** Network (Web API).
## Impact
- **Confidentiality:** High. Exposure of 600M+ business emails, 135M+ verified phone numbers, and associated personal data.
- **Integrity:** Low/None.
- **Availability:** Low/None (Though automated scraping could potentially impact performance).
## Remediation
### Patches
- The vendor has implemented server-side validation to ensure that data-unmasking flags are only honored if the user has sufficient credits and the appropriate entitlement level.
### Workarounds
- There are no viable client-side workarounds for this type of logic flaw; remediation must occur on the server.
## Detection
- **Indicators of Compromise:** Unusual API traffic patterns originating from free-tier accounts, specifically requests containing non-standard or "hidden" parameters.
- **Detection Methods:** Organizations should monitor for Mass Assignments or "Parameter Pollution" where unexpected fields are submitted to internal APIs. Implement behavioral analytics to detect accounts that are accessing high volumes of unmasked data without corresponding credit deductions.
## References
- Wiz Blog: hxxps://www.wiz[.]io/blog/red-agent-pov-business-logic
- Red Agent POV Series: hxxps://www.wiz[.]io/blog/red-agent-pov-series