IDORYesWeHackbolaidore2e-encryptiontanker-sdkhealthcareenumerationOPEN

BOLA on E2E encryption group records - need impact beyond enumeration

Healthcare platform with end-to-end encryption (Tanker SDK). I can enumerate encryption group identifiers for other patients and doctor agendas by iterating the subject_id parameter. Cross-boundary access (patient can reach practitioner records) is confirmed. The weak spot: I cannot yet show how possessing a tanker_group_identifier leads to actual document decryption or content access. Registration POST returns 500. Need someone familiar with Tanker SDK internals or E2E encryption group semantics to help map the path from group ID enumeration to actual data exposure. DM @BugUnstuck on Twitter.