[IDOR] $400 — Deleting Other Project in Shopee

Tengku Arya Saputra
3 min readAug 12


Hello everyone, introducing my name Tengku Arya Saputra (Follow my Linkedin) previously I have discussed about my discovery with a very critical vulnerability level with a bounty $6,400, on this occasion I will try to share my discovery on the shopee subdomain

on a bug bounty program owned by the company shopee, I found an IDOR vulnerability on the subdomain ****.

The first step I did was try to visit the page on the shopee site.

The next step I registered by registering my email address [username]@wearehackerone.com

After successful registration I will be directed to choose shopee seller or third-party partner

select the option on the Third Party Partner Platform and fill in the data until it is complete after completion, it will be directed to the dashboard then follow the steps to reproduce: Steps to create a project: Create project on Local Store account type with free store area -> save Create Project (Note: The account type must be adjusted, if user 1 uses Local Store, then user 2 must also use Local Store)

account 1
account 2

ID SHOP account 1 = 58074

ID SHOP account 2 = 58072

Then I delete the project in account 1 with ID = 58074

Requests account 1
Requests account 2

with access request project on user1 , I can delete project on user2 by replacing SHOP_ID {"shop_id":"58074"} To {"shop_id":"58072"}

You can see that the response shows success, which means I successfully deleted the project belonging to account 2 using account 1’s request.


This will cause the attacker to delete all projects by using the bruteforce method, the attacker can carry out this attack very quickly.


Report — July 22, 2022

Change To Triaged — July 27, 2022

Reward Bounty — Sep 29, 2022

Resolved — April 4, 2022



Tengku Arya Saputra

Penetration Tester || Cyber Security Analyst || Cyber Security Enthusiast