We discovered that major Chamber of Commerce software platforms (which together serve over 4,000 chambers and associations) have security gaps that expose member data.
While you need to be a member to access these platforms, once you're in, the systems don't properly check what data you should be allowed to see. Think of it like a hotel where your key card lets you into the building, but then accidentally works on every room, not just yours.
Authentication vs. Authorization
To understand the issue, it helps to know two key security concepts:
- Authentication (AuthN): Proving you are who you say you are (like showing your ID)
- Authorization (AuthZ): Determining what you're allowed to do or see (like having the right clearance level)
The platforms get the first part right - they check that you're a valid member.
However, they fall short on the second part. Once you're authenticated, they don't properly verify whether you should have access to specific information.
The Business Logic Flaw
The web interfaces (what you see when you log in normally) have proper controls. But the APIs (the behind-the-scenes pathways that applications use to communicate) don't enforce the same rules. This creates what we call a "business logic flaw" - the system works as designed, but the design itself is flawed.
Consider this example:
- When you log in as a member, you can see your own profile
- The API that fetches profiles uses a simple ID number
- By changing that ID number, you can access any other member's profile
- The system never checks if you should have permission to see that profile
Scale of Impact
The numbers here are significant:
- [REDACTED] serves approximately 3,000+ chambers and associations
- [REDACTED] works with over 1,500 organizations
- Assuming an average of 300 members per organization (conservative estimate)
- This means roughly 1.35 million businesses could have their data exposed
What's Exposed
Through these API gaps, someone could access:
- Member business details and contact information
- Payment history and invoice details
- Private messages with chamber administrators
- Historical data of former members
- Technical details about the chamber software deployment
The kicker? This includes both current AND former members - meaning organizations that left years ago might still have their data exposed.
Recommendations
For Chamber Organizations
- Ask your software provider about API security
- Review your data retention policies
- Consider what historical data you really need to keep
For Members
- Know what data your chamber stores about you
- Request deletion of outdated information
- Be cautious about sensitive information shared through these platforms
For Software Providers
- Implement proper authorization checks on ALL endpoints
- Add rate limiting to prevent bulk data collection
- Separate admin functions from member functions at the API level
Technical Evidence
Below are redacted screenshots and API response examples demonstrating the vulnerabilities. Member IDs, organization names, and unique identifiers have been obscured to protect affected parties while maintaining proof of the security gaps.
Moving Forward
We believe in responsible disclosure and giving vendors time to fix issues. However, we also believe members have a right to know about risks to their data. We'll continue monitoring these platforms and will update this post as improvements are made.
Contact
For additional technical details, please get in touch with us using our form found here: https://adversis.io/contact.
Responsible Disclosure Timeline
- Initial discovery and documentation: 07/15/24
- First contact attempts with vendors: 07/15/24
- Partial disclosure: 01/20/25
This disclosure follows standard responsible disclosure practices and aims to protect member data while encouraging security improvements in Chamber of Commerce software platforms.
