Research shows how data protection systems are vulnerable to attack

Research shows how GDPR laws are open to attack

A security researcher has detailed how they were able to exploit GDPR laws to leak sensitive personal information from the systems put in place to protect it.

Full-time bug bounty hunter Hx01 detailed how they were able to gain access to personally identifiable information (PII) stored by various organizations including Fortune 500 companies.

The General Data Protection Regulation (GDPR) was introduced across the EU in May 2018 to safeguard citizens’ data.

Under the sweeping legislation, individuals can use a Data Subject Access Request (DSAR) to access information that an organization is processing about them.

Read more of the latest security vulnerability news

However, as Hx01 found, many of these organizations are exposed to DSAR vulnerabilities and exploits “ranging from lack of email confirmations to an SSTI affecting multiple organizations”, meaning that an unauthorized attacker could gain access to private data.


One vulnerability Hx01 found was unauthenticated DSAR forms. DSAR portals allow users to make changes to the data an organization holds on them, which can be done on an online form.

In some instances, unauthenticated users could submit a form asking for data to be removed or changed without having to verify themselves by email.

This means that an individual’s data can be modified by an impersonator, who can also go as far as deleting their information or account.

BACKGROUND GDPR: Have greater fines forced organizations to take data security seriously?

The security researcher also detailed how an off-the-shelf DSAR platform used by 6,000 organizations, including Fortune 500 companies, was vulnerable to server-side template injection (SSTI) attacks, which could be used to confirm requests as a victim.

Added to this, companies accepting DSAR requests through email channels would often process the request without vetting it, allowing an attacker to spoof emails on behalf of the victim and send a DSAR request due to a lack of email authentication.

This meant that requests looked legitimate and were processed accordingly.


Speaking to The Daily Swig, Hx01 said: “The impact of the findings varied from organization to organization, for example a background checking firm would send back a candidate’s full SSN with other PII information, whereas an organization would delete all of the project files and integrations permanently without confirming with the customer.”

They added: “If exploited at large this could’ve been used for stealing/deleting/modifying the victim’s PII.

“Ironically GDPR laws were made to protect users’ private data, however they could be abused to exfiltrate users’ private data.

“Mitigation would include proper vetting of the DSAR before moving forward with the request.”

A more detailed explanation of how to mitigate against these vulnerabilities can be found in a technical write-up (PDF) from Hx01.

READ MORE European Data Protection Board lays out data breach notification guidelines for organizations