Initializing...

cd ..
IDOR Private Program 2024-01-15

IDOR leads to Account Takeover

Severity: High | Status: Resolved

Summary

During the reconnaissance phase on target.com, I noticed that the user profile update endpoint relied on a sequential numeric ID parameter user_id.

Vulnerability Details

Vulnerability Type: Insecure Direct Object Reference (IDOR) Severity: High Endpoint: POST /api/v1/user/profile/update

Steps to Reproduce

  1. Create two accounts: Attacker (ID: 1001) and Victim (ID: 1002).
  2. Login as Attacker and intercept the profile update request.
  3. Change user_id parameter from 1001 to 1002.
  4. Include a new email address in the body {"email": "attacker@evil.com"}.
  5. Send the request.

Impact

The server responded with 200 OK and updated the Victim’s email to the Attacker’s email. This allowed me to trigger a password reset for the victim account and takeover the account.

Remediation

Implement proper access control checks to verify that the user_id in the request matches the session of the currently logged-in user.

Responsible Disclosure

This vulnerability was reported responsibly and fixed by the vendor before public disclosure.