Discover how an IDOR vulnerability allowed unauthorized budget changes in Private Program. Learn the steps to reproduce this security flaw and its potential impact on user privacy.
IDOR vulnerabilities can potentially expose user data or allow unauthorized access to sensitive features. In this blog post, I’ll walk you through a recent discovery I made while testing Examlent.com(virtual name of privat program domain), a platform where individuals seek job opportunities and employers find potential candidates. This IDOR flaw had the potential to compromise user privacy by letting an attacker manipulate a user’s budget without their consent.
The IDOR Bug
As a bug bounty hunter, my mission was to explore Examlent.com for any potential security vulnerabilities. During my testing, I discover an intriguing IDOR (Insecure Direct Object Reference) bug that allowed any user to change another user’s budget without taking over their account. The endpoint responsible for this flaw was
Steps to Reproduce
- Prepare Two Accounts: You’ll need two different accounts for this test — one as the attacker and the other as the victim.
- Capture the Edit Budget Request: Use your attacker account to capture the “Edit Budget” request made by the victim.
- Identify the hid= Value: Now, you may be wondering how the attacker can obtain the `hid=` value. Well, in this scenario, the attacker is conducting a random attack because here the hid has only 8 char long. They can attempt to brute force random id values.
- Send the Request: With the “Edit Budget” request and the hid= value in hand, the attacker can now send the request.
- Observe the Change: As a result, you’ll notice that the budget of the victim’s account has been altered without their consent.
The unauthorized budget change not only compromises user privacy but also potentially results in financial losses, creating significant repercussions for both the victims and the platform’s integrity.
This critical IDOR vulnerability raised awareness about the need for enhanced security measures. Recognizing the significance of this discovery, Examlet.com promptly awarded a bounty of $1000 to me.
This IDOR bug underscores the importance of continuously examining web applications for potential vulnerabilities. Security researchers should consider testing the boundaries of permissions within applications to see if they can make changes without gaining full access to another user’s account.
Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.
Find me on Twitter: @a13h1_
Keep Supporting, Keep Clapping, Keep Commenting.