Case Study: OAuth Token Bypass in Healthcare Portal

Background

A healthcare management platform (HMS) storing medical records, prescriptions, and reports for 50+ hospitals onboarded HackVitraSec for a comprehensive API VAPT.

Vulnerability Details

Our team found a critical OAuth token validation flaw. A previously generated access token from a different user account could be reused to fetch other users' medical records.

The backend failed to verify the audience and scope of the token before allowing access to protected resources.

Impact

• Exposed patient health reports and test history
• Access to doctor-patient chat logs
• Major HIPAA & healthcare compliance risk

Exploitation

Using Burp Suite and Postman, the team replayed a valid token with minor header changes to access unauthorized records. Proof-of-concept demonstrated live data leaks.

Remediation

• Token introspection was enforced at every endpoint
• Implemented proper OAuth scopes and audience checks
• Shortened token lifespan and introduced refresh token rotation

Lessons Learned

• Always validate tokens at the backend, not just the client
• Use strict audience and scope enforcement
• Limit token usage contextually per role