Late night IDOR got me unauthorised access to your account

imwaiting18
4 min readApr 27, 2024

--

Hiya Everyone!

It has been a while literally. I hope this write-up finds you well. Now my finding is not gonna be some rocket science or some genius move I made. It was just a wild bug hiding in plain sight, I was just at the right place at the right time. That being said let’s dive right into it…

What’s an IDOR?

Insecure direct object reference (IDOR) is a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

In lament words, given that I am authorized to access an Object(A), there’s some sort of input from my side that instructs the server to fetch that object for me and present it to me. Sounds pretty normal right? but am I authorized to access Object(B) that belongs to a different user?

With this Mindset I started looking for IDORs in the web application I was hunting on. I cannot disclose anything about the company. Let’s just call it secret.com

So on secret.com, to register the user is redirected to the most common app.secret.com. On this subdomain, a user has two options, one is to directly log in to their existing account or register for a new one.

After looking for some basic Broken authentication bugs on login, I decided to sign up for an account. The registration form had a few common fields like First Name, Last Name, Email Address, Password, and Password confirmation. I filled up all the details and submitted the form, and the server responded with a message.

registration confirmation

The email received in my inbox looked something like this,

email in my inbox after the registration

Everything up till here was normal, but then I noticed the link I received.

https://app.secret.com/?func=register.activate&key=E4FF6AAFE29957CF71FFE95C1021707AEF3BC6ABC8F85A13B54C0E26D896D692&obj=1000005358

The Numeric object key looked very tempting. I decided to tamper with the parameter. On opening the link the server would automatically, log the user into their account.

Here comes the vulnerability, so basically the server assigns a unique numeric ID to their users. I know my unique ID is ending with 5358 but what about the user who signed up before me?! As any normal person would do I changed the obj parameter from 1000005358 to 1000005357 and the server gave me an error.

no 401 server error

The server didn’t respond with a 401 Unauthorized server error, this made me realize I could access the function but my activation key is not valid.

I removed the entire key parameter and boom I was in. I was now logged in as the 1000005357 user and I had full access to their dashboard.

https://app.secret.com/?func=register.activate&obj=1000005357

I could make changes to their dashboard like inviting myself as an Admin with full access, removing necessary protection like SSL certificates & WAF, and much more.

I was feeling good ngl

I quickly recorded a video PoC as I could not believe that it could be just that simple. To perform the attack again, I just had to sign up again as the link only worked once. I quickly used a temp mail to receive my precious link and started creating video PoCs.

classification: IDOR leads to zero-click account takeover.

In a day I received a response from the team,

A bit disappointed to this day as to why they decided to underpay for a very crucial bug. But we gotta move on someday. Looking back, a great night and a good experience, and some Ps in my pocket.

for IDOR references and their types you can refer to the article below:

--

--

imwaiting18

[linkedin.com/in/rajyaguruvirang] I hack stuff and talk about it. Open to collaborating on Cool Cyber Security projects. Exploring Mobile Pentesting