Magento security scan tool allowed access to any and all security scan reports that company ran on the site. Vulnerability was classified under Insecure Direct Object Reference (IDOR) because by simply changing the parameter value it allowed the user to access the data which the user was not authorized to. It makes very easy for attacker to view all security reports of other websites because of incremental ID. Issue was discovered on the same day the tool was launched and immediately reported.
Proof Of Concept
- Login to your magento.com account
- Go to https://account.magento.com/scanner/index/report/id/ANY_INCREMENT_ID_HERE (start id from 100)
Issue was reported to Magento and they have since fixed this.