Here are the steps:
1. Log in as a user with the "General Access" role (I don’t know if this is a role we created, or one that came configured with the CRM).
2. POST a request to the "Constituent Search (UM Extension)" endpoint (/bbappfx/vpp/bizops/db%5BBTP_PROD%5D/searchlists/76d8c79c-b8d4-4349-beb5-283b4bad4285/soap.asmx) with the following contents:
<soapenv:Envelope xmlns:soapenv="<http://schemas.xmlsoap.org/soap/envelope/>" xmlns:blac="blackbaud_appfx_server_bizops">
<blac:SessionKey>[session key as needed]</blac:SessionKey>
<blac:SSN>[SSN to test]</blac:SSN>
3. If the SSN is valid and the corresponding person exists in the database, a record will be returned that contains identifying information.
4. For the next request, the SSN can be incremented by one, or chosen in some other manner, and the POST would be repeated with the new SSN.
To fully exploit this, an authenticated and authorized attacker would send repeated requests and record any hits on real records. I was able to get a hit rate of about 2% in my tests, which allowed harvesting of more than 1,200 valid SSNs in around ten minutes.