I earned $1000 with IDOR’s vulnerability to PII leaks outside the platform.
Hello everyone, introducing my name Tengku Arya Saputra (Follow my Linkedin) on this occasion I will tell you how I found a security hole with a very critical vulnerability level, I got this bug outside of any bug bounty platform, so this is an external program.
Initially I found IDOR but I further escalated and got a vulnerability where the data released is very sensitive data for users.
Open the application on android. Visit the profile to change the data and before that I have connected a proxy on burpsuite to intercept the data that will be sent to the server.
to the server.
When I saved the changes I checked the data that was sent
to the server using burpsuite and I see something striking in the request, and this is the response that the server displays by showing the identity of myself in my personal account, in the next step I will prove that this is really an IDOR vulnerability where I will modify other people’s paramater with endpoints
And this is the response that the server displays by showing
identity on my personal account, in the next step I will
prove that this is really an IDOR vulnerability where I will modify someone else’s paramater with the IDOR endpoint.
POST /api/jsonws/invoke HTTP/2
Host: redacted.com
Authorization: Basic
***************21haWwuY29tOjRrdVAxblQ0ciUkI0AheTN5
Content-Type: application/json; charset=utf-8
Content-Length: 89
Accept-Encoding: gzip, deflate
User-Agent: okhttp/2.7.5
[
{
"\/***.***\/get-profile-****-by-user-id-v2":
{
"groupId":20143,
"userId":13936494 //other people's property
}
}
]
I got it! I managed to prove that this is really IDOR, I can see other people’s highly sensitive data just by modifying the parameters.
Timeline
Report — March 2, 2024
Change To Triaged — March 9, 2024
Respond Team — March 13, 2024
Reward Bounty via Mobile Banking $1000–17 March, 2024
Resolved — 18 March, 2024