URGENT Security Issue in Download Attachment API

URGENT Security Issue in Download Attachment API

There is a security issue with the way the Attachment Download API works.  For users that are already authenticated in the application (ie have already logged in through the login page), requests to that download endpoint do not first check to see if the user making the request has access rights to the attachment that is being called for download.  The regular download call does check this as it has the authKey in the request URL.   

Here is an example.  I log in with a test user who only has access to his own requests.  In looking at a download call from one of my tickets I can see the download request is called to:

[servername]/workorder/FileDownload.jsp?module=Request&ID=[attachmentID]&authKey=[authkey]

If I were to start randomly guessing attachment IDs and making calls to the corresponding URLs it does not let me download attachments my account does not have access to:


However, if I know the API URL for the download and make a call to that URL I am able to download the attachments:


This means that any user with a login to the system would be able to download ANY attachment from ANY ticket.  Even ones that they cannot see or access.  This is a huge security issue, especially considering your API documention is publicly available.