Unsecured Vetco portal exposed medical records via sequential IDs. Analysis, IOCs, and mitigation steps for security teams to prevent similar breaches.

Continue reading
What if a simple sequential number in a web address was the only key needed to access the private medical files of millions of pets and their owners? For Petco's Vetco Clinics, this wasn't a hypothetical scenario but a live, exploitable flaw that left a treasure trove of sensitive personal and medical data exposed to the open internet.
On December 10, 2025, security researchers disclosed a severe data exposure incident affecting Petco's veterinary subsidiary, Vetco Clinics. The breach originated from a fundamental web application security failure on the customer portal, `petpass.com`, which hosts veterinary records.
The core vulnerability was an Insecure Direct Object Reference (IDOR). The portal's PDF document generation endpoint lacked proper authorization controls. While the main login page required credentials, the specific URL pattern used to fetch generated documents (e.g., `https://petpass.com/document/[CUSTOMER_ID]`) did not validate if the requester was the authenticated account owner. Crucially, the `CUSTOMER_ID` parameter was a simple, sequential integer.
This design flaw meant that any actor could systematically access sensitive records by iterating through the ID sequence (e.g., changing .../document/100001 to .../document/100002). The exposed data was not merely basic contact information but comprehensive Personal Health Information (PHI) for pets and Personally Identifiable Information (PII) for their owners, creating multifaceted risks for identity theft, fraud, and targeted phishing.
The attack flow for this exposure was straightforward, highlighting a common yet critical oversight in access control logic.
1. Attacker visits Vetco's customer portal: `petpass.com`
2. Attacker identifies or guesses a document endpoint URL pattern (e.g., `/api/generate-pdf?id=100000`)
3. Attacker manipulates the `id` parameter incrementally: `id=100001`, `id=100002`, etc.
4. Server processes request without checking user session or ownership, fetching the record for the supplied ID.
5. Server returns the sensitive PDF document directly to the attacker.Exploitation Vector: The primary vector was a Broken Object Level Authorization (BOLA) flaw on a web API endpoint. No advanced tools were required; exploitation was possible manually via a browser or automatically with a simple scripting tool like `curl` or `wget`.
Artifacts & Payload: The "payload" in this case was the legitimate PDF document generated by the server. Each retrieved file contained a structured medical visit summary alongside owner information. The sequential nature of the identifiers turned a single-point failure into a mass data exposure vulnerability.
Impact Amplification: The exposure was compounded by Search Engine Indexing. Because at least one record was publicly accessible without barriers, Google crawled and indexed it, making the data discoverable through simple search queries.
| Type | Value | Source / Notes |
|---|---|---|
| Domain | `petpass.com` | Vetco customer portal domain. Monitor for suspicious subdomains or phishing clones. |
| URL Pattern | `/document/` or `/api/generate-pdf?id=` | Example patterns for the vulnerable endpoint. |
| File Type | PDF documents containing specific headers/footers from "Vetco Clinics" or "Petco" | Content-based detection. |
| Data Pattern | Sequential numeric IDs in URL parameters during authenticated sessions. |
1. Web Application Firewall (WAF) & SIEM Hunting: Look for automated, sequential patterns of requests to document-generation endpoints. ```sql -- Example SIEM query for sequential ID access patterns source=web_logs url="generate-pdf" OR url="/document/" | stats count, values(client_ip) as src_ips by url | where count > 50 | search url="id=" | eval id_value=tonumber(replace(url, ".id=(\d+).", "\1")) | sort + id_value ```
2. Endpoint & Network Detection:
3. YARA-L (Google Chronicle) or Similar:
Create a rule to detect files matching the exposed data schema (pet medical details alongside human PII) being written or transmitted from unexpected locations.
Recommended Log Sources: Application server logs (especially for the `petpass.com` portal), WAF logs, API gateway logs, and network proxy (HTTP) logs.
Immediate Actions (1-2 Days):
Short-Term Actions (1-2 Weeks):
Medium-Term Actions (1-3 Months):
This incident represents a High-severity risk due to the sensitivity and volume of exposed data.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.
| Hunting for scanning behavior. |