We discovered that major Chamber of Commerce software platforms (which together serve over 4,000 chambers and associations) have security gaps that expose member data.

While you need to be a member to access these platforms, once you're in, the systems don't properly check what data you should be allowed to see. Think of it like a hotel where your key card lets you into the building, but then accidentally works on every room, not just yours.

Authentication vs. Authorization

To understand the issue, it helps to know two key security concepts:

• Authentication (AuthN): Proving you are who you say you are (like showing your ID)
• Authorization (AuthZ): Determining what you're allowed to do or see (like having the right clearance level)

The platforms get the first part right - they check that you're a valid member.

However, they fall short on the second part. Once you're authenticated, they don't properly verify whether you should have access to specific information.

The Business Logic Flaw

The web interfaces (what you see when you log in normally) have proper controls. But the APIs (the behind-the-scenes pathways that applications use to communicate) don't enforce the same rules. This creates what we call a "business logic flaw" - the system works as designed, but the design itself is flawed.

Consider this example:

1. When you log in as a member, you can see your own profile
2. The API that fetches profiles uses a simple ID number
3. By changing that ID number, you can access any other member's profile
4. The system never checks if you should have permission to see that profile

Scale of Impact

The numbers here are significant:

• [REDACTED] serves approximately 3,000+ chambers and associations
• [REDACTED] works with over 1,500 organizations
• Assuming an average of 300 members per organization (conservative estimate)
• This means roughly 1.35 million businesses could have their data exposed

What's Exposed

Through these API gaps, someone could access:

• Member business details and contact information
• Payment history and invoice details
• Private messages with chamber administrators
• Historical data of former members
• Technical details about the chamber software deployment

The kicker? This includes both current AND former members - meaning organizations that left years ago might still have their data exposed.

Recommendations

For Chamber Organizations

1. Ask your software provider about API security
2. Review your data retention policies
3. Consider what historical data you really need to keep

For Members

1. Know what data your chamber stores about you
2. Request deletion of outdated information
3. Be cautious about sensitive information shared through these platforms

For Software Providers

1. Implement proper authorization checks on ALL endpoints
2. Add rate limiting to prevent bulk data collection
3. Separate admin functions from member functions at the API level

Technical Evidence

Below are redacted screenshots and API response examples demonstrating the vulnerabilities. Member IDs, organization names, and unique identifiers have been obscured to protect affected parties while maintaining proof of the security gaps.

Moving Forward

We believe in responsible disclosure and giving vendors time to fix issues. However, we also believe members have a right to know about risks to their data. We'll continue monitoring these platforms and will update this post as improvements are made.

Contact

For additional technical details, please get in touch with us using our form found here: https://adversis.io/contact.

Responsible Disclosure Timeline

• Initial discovery and documentation: 07/15/24
• First contact attempts with vendors: 07/15/24
• Partial disclosure: 01/20/25

This disclosure follows standard responsible disclosure practices and aims to protect member data while encouraging security improvements in Chamber of Commerce software platforms.

‍