I earned $1000 with IDOR’s vulnerability to PII leaks outside the platform.

Tengku Arya Saputra
3 min readMar 17, 2024

--

Hello everyone, introducing my name Tengku Arya Saputra (Follow my Linkedin) on this occasion I will tell you how I found a security hole with a very critical vulnerability level, I got this bug outside of any bug bounty platform, so this is an external program.

Initially I found IDOR but I further escalated and got a vulnerability where the data released is very sensitive data for users.

Open the application on android. Visit the profile to change the data and before that I have connected a proxy on burpsuite to intercept the data that will be sent to the server.
to the server.

Image 1

When I saved the changes I checked the data that was sent
to the server using burpsuite and I see something striking in the request, and this is the response that the server displays by showing the identity of myself in my personal account, in the next step I will prove that this is really an IDOR vulnerability where I will modify other people’s paramater with endpoints

Request
response

And this is the response that the server displays by showing
identity on my personal account, in the next step I will
prove that this is really an IDOR vulnerability where I will modify someone else’s paramater with the IDOR endpoint.

POST /api/jsonws/invoke HTTP/2
Host: redacted.com
Authorization: Basic
***************21haWwuY29tOjRrdVAxblQ0ciUkI0AheTN5
Content-Type: application/json; charset=utf-8
Content-Length: 89
Accept-Encoding: gzip, deflate
User-Agent: okhttp/2.7.5
[
{
"\/***.***\/get-profile-****-by-user-id-v2":
{
"groupId":20143,
"userId":13936494 //other people's property
}
}
]

I got it! I managed to prove that this is really IDOR, I can see other people’s highly sensitive data just by modifying the parameters.

Timeline

Report — March 2, 2024

Change To Triaged — March 9, 2024

Respond Team — March 13, 2024

Reward Bounty via Mobile Banking $1000–17 March, 2024

Resolved — 18 March, 2024

--

--

Tengku Arya Saputra
Tengku Arya Saputra

Written by Tengku Arya Saputra

Penetration Tester || Cyber Security Analyst || Cyber Security Enthusiast

Responses (8)