In this article, we explore how two chained security flaws allowed an attacker to take control of another member’s contract on the Roole platform. By hijacking the contract, it became possible to cancel policies, retrieve certificates, view vehicle information, access bank details (RIB and bank), and modify personal information.

First Step: Vulnerable Endpoint ContratsByIdAdhesions

The initial entry point is the following endpoint:

https://bffmoncompte.roole.fr/api/InfosContractuelles/ContratsByIdAdhesions

• Vulnerable Parameter: idAdhesions=
• Type of Vulnerability: IDOR (Insecure Direct Object Reference)

Hint: By iterating over idAdhesions values, you can enumerate various membership IDs and retrieve the associated list of contracts.

For example, when using the ID 210000xx, the API returns the following JSON:

[{
  "idAdhesion": 210000xx,
  "nom": "DUPONT",
  "prenom": "JEAN",
  "identifiant": "3E-00000000", 
  "dateFin": null,
  "marque": "MARQUE",
  "modele": "MODELE",
  "immatriculation": "AA-000-AA",
  "validiteContrat": 0
}]

Here, we can already spot key information, including the license plate (immatriculation) and the contract identifier (identifiant).

Extracting Information: Second IDOR Endpoint

After locating the target contract, the second IDOR flaw lies in the endpoint:

https://bffmoncompte.roole.fr/api/MonContrat/InfosContrat/21000035

Hint: Simply replace 21000035 with the membership ID you want to access, and you’ll get the complete contract details.

For instance:

{
  "contratId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "idAdhesion": "XXXXXXXX",
  ...
  "coordonneesBancaires": {
    "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 
    "iban": "FRXXXXXXXXXXXXXXXXXXXXXXXXX",
    "titulaire": "XXXXX XXXXX"
  },
  ...
}

Thanks to this flaw, an attacker can collect:

• The internal contract ID (contratId),
• Bank details (IBAN, account holder),
• The subscriber’s personal information, and more.

Contract Takeover: The Final Step

To finalize the takeover, all you need to do is log in to your own Roole account and use the Add a Contract feature. You only need:

1. The license plate: for example, AA-000-AA.
2. The contract number (identifier): 3E-00000000.

Hint: Once these fields are filled in, the target contract is linked to the attacker’s account, granting full control.

After providing this information, the attacker can then:

• Cancel the contract,
• Download certificates,
• Access bank details,
• Change personal information, etc.

Conclusion

These two chained IDOR vulnerabilities highlight how easily an attacker can take over another member’s contract in the absence of strict access controls. By simply enumerating an adhesion ID and then adding the contract via the plate number and contract identifier, an attacker can:

• Gain access to personal data (name, account holder, RIB…),
• Cancel or fully modify the contract.

This chain of flaws underscores the critical need to verify user authenticity and permission levels before allowing any access to resources as sensitive as an insurance contract.