Adobe Connect API/Webservices - Serious bug - Security issue

Question

I found a huge security/bug issue in the Adobe Connect API/Webservice method principal-update. I discovered that it is possible to update existing users just by using their Login ID instead of Principal ID:

Say I create a user John Doe:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=John&last-name=Doe&login=jdoe&password=asdasdasd&has-children=false

If I try to create another user Robert Ford with the same USERNAME:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=Robert&last-name=Ford&login=jdoe&password=asdasdfff&has-children=false

No error will be shown, INSTEAD it will change John Doe's first name/last name to Robert's name! This is a huge serious bug.

It SHOULD ONLY UPDATE users WHEN A PRINCIPAL ID IS PASSED IN. In fact, in Adobe's own documentation...it states to use a Prinicpal ID to update the user.

So HOW exactly should I prevent this???? I cannot check if the login id exists before creating the user because that is not guaranteed.

Jorma_at_Knox · Answer

I strongly recommend that you post the bug here, Adobe - Feature Request/Bug Report Form, and then contact support at 800-945-9120. If you have a licensed deployment, reach out to the contact listed in your support agreement.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded