IDOR: users can attach another user's platform links to their own cards

[Ridanshi]

Summary

Fix a broken access control vulnerability where authenticated users can attach another user's platform links to their own DevCard profile by supplying arbitrary platformLink IDs.

This allows profile impersonation and violates ownership guarantees across public cards.

---

Contexts

cards.ts accepts linkIds from the client and directly creates CardLink records without validating ownership.

Currently, any authenticated user can:

1. fetch another user's public profile,
2. obtain exposed platformLink IDs,
3. create/update a card using those IDs,
4. display another user's verified social profiles as their own.

Affected areas:

• apps/backend/src/routes/cards.ts
• apps/backend/src/routes/public.ts

Example vulnerable pattern:

platformLinkId: linkId

[Ridanshi]

Hi @Harxhit,
I would like to work on this issue as part of GSSoC 2026. The issue is reproducible and I already have a minimal, isolated fix approach prepared for ownership validation in the affected card routes.
Kindly assign this issue to me. Thank you!

[Harxhit]

Hi @Harxhit, I would like to work on this issue as part of GSSoC 2026. The issue is reproducible and I already have a minimal, isolated fix approach prepared for ownership validation in the affected card routes. Kindly assign this issue to me. Thank you!

Please wait for 24 hours, as this is the assignment protocol we follow before assigning issues. Thank you for your patience and understanding.