Fast Feed

Broken Object Fiesta: How I Used IDOR, No Auth, and a Little Luck to Pull User Data

1 min read

Summary

  • An individual has detailed a case of an unauthorized data access (UAD) issue they stumbled upon whilst bounty hunting.
  • They were using various reconnaissance tools such as SubFinder, httpx, and gau to analyse the parameters of a target domain.
  • They discovered an unauthenticated API endpoint https://api.target.com/v2/profile/getProfileDetails?id=123456 which could be used to retrieve user data.
  • The lack of authentication, such as tokens or cookies, meant that any user could access the data without permission.
  • This issue is known as an IDOR (Insecure Direct Object Reference), and occurs when an application provides access to an object without prior validation of the user’s rights to access that object.
  • They were, however, unable to notify the target organisation of the IDOR due to the fact that the organisation was not hosting a responsible disclosure programme.

By Iski

Original Article