[IDOR] $400 — Deleting Other Project in Shopee
Hello everyone, introducing my name Tengku Arya Saputra (Follow my Linkedin) previously I have discussed about my discovery with a very critical vulnerability level with a bounty $6,400, on this occasion I will try to share my discovery on the shopee subdomain
on a bug bounty program owned by the company shopee, I found an IDOR vulnerability on the subdomain ****.
The first step I did was try to visit the page on the shopee site.
The next step I registered by registering my email address [username]@wearehackerone.com
After successful registration I will be directed to choose shopee seller or third-party partner
select the option on the Third Party Partner Platform and fill in the data until it is complete after completion, it will be directed to the dashboard then follow the steps to reproduce: Steps to create a project: Create project on Local Store account type with free store area -> save Create Project (Note: The account type must be adjusted, if user 1 uses Local Store, then user 2 must also use Local Store)
ID SHOP account 1 = 58074
ID SHOP account 2 = 58072
Then I delete the project in account 1 with ID = 58074
with access request project on user1 , I can delete project on user2 by replacing SHOP_ID {"shop_id":"58074"} To {"shop_id":"58072"}
You can see that the response shows success, which means I successfully deleted the project belonging to account 2 using account 1’s request.
Impact
This will cause the attacker to delete all projects by using the bruteforce method, the attacker can carry out this attack very quickly.
Timeline
Report — July 22, 2022
Change To Triaged — July 27, 2022
Reward Bounty — Sep 29, 2022
Resolved — April 4, 2022
