Top 25 IDOR Bug Bounty Reports

Cristian Cornea
5 min readFeb 22, 2020

--

In this article, we will discuss IDOR vulnerability, how to find one and present 25 disclosed reports based on this issue.

What is IDOR?

IDOR stands for Insecure Direct Object Reference and it is a vulnerability in which an attacker can access sensitive information by making unauthorized references. For example, an user would retrieve his personal and confidential data by sending a request to the following URL:

https://example.com/account.php?id=24

The request collects the user ID from the URL parameter and then displays the information. But what happens when the user with ID of 24 sends the next request?

https://example.com/account.php?id=11

If the data belonging to the user with ID of 11 is returned then it is an IDOR issue.

A vulnerability like this one can occur when there is a bad/weak access control implementation or there is not at all.

Types of IDOR

  1. Blind IDOR: The type of IDOR in which the results of the exploitation cannot be seen in the server response. For example modifying other user private data without accessing it.
  2. Generic IDOR: The type of IDOR in which the results of the exploitation can be seen in the server response. For example accessing confidential data or files belonging to another user.
  3. IDOR with Reference to Objects: Used to access or modify an unauthorized object. For example accessing bank account information of other users by sending such a request →example.com/accounts?id={reference ID}
  4. IDOR with Reference to Files: Used to access an unauthorized file. For example a live chat server stores the confidential conversations in files with names as incrementing numbers and any conversation can be retrieved by just sending requests like this →example.com/1.log, example.com/2.log, example.com/3.log and so on.

How to find an IDOR in a Bug Bounty Program

The first rule in testing for an IDOR vulnerability is to catch all the requests your browser sends to the web server. Many times you will find those type of issues in URL parameters values, headers values or cookies. You will likely find encoded or hashed values and you have to decode them. For example the following link:

https://example.com/profiles.php?id=e4da3b7fbbce2345d7772b0674a318d5

The “id” URL parameter value can be easily cracked using a hash decode tool (MD5 hashed).

Also, a common place where an IDOR can occur is in the API requests, so be sure that you analyze the web application, gather all the API requests that are being sent and tamper with the requested values.

Top 25 IDOR Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users

Company: Paypal

Bounty: $10,500

Link: https://hackerone.com/reports/415081

#2

Title: Vimeo.com Insecure Direct Object References Reset Password

Company: Vimeo

Bounty: $5,000

Link: https://hackerone.com/reports/42587

#3

Title: idor allows you to delete photos and album from a gallery

Company: RedTube

Bounty: $1,500

Link: https://hackerone.com/reports/380410

#4

Title: IDOR allows any user to edit others videos

Company: YouPorn

Bounty: $1,500

Link: https://hackerone.com/reports/681473

#5

Title: IDOR — disclosure of private videos — /api_android_v3/getUserVideos

Company: PornHub

Bounty: $1,500

Link: https://hackerone.com/reports/186279

#6

Title: Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information

Company: Rockstar Games

Bounty: $1,400

Link: https://hackerone.com/reports/204292

#7

Title: IDOR widget.support.my.com

Company: Mail.ru

Bounty: $1,000

Link: https://hackerone.com/reports/328337

#8

Title: IDOR allow access to payments data of any user

Company: NordVPN

Bounty: $1,000

Link: https://hackerone.com/reports/751577

#9

Title: IDOR — Access to private video thumbnails even if video requires password authentication

Company: YouPorn

Bounty: $1,000

Link: https://hackerone.com/reports/197114

#10

Title: IDOR expire other user sessions

Company: Shopify

Bounty: $1,000

Link: https://hackerone.com/reports/56511

#11

Title: IDOR — Accessing other user’s attachements via PUT /appsuite/api/files?action=saveAs

Company: Open-Xchange

Bounty: $888

Link: https://hackerone.com/reports/204984

#12

Title: IDOR — Downloading all attachements if having access to a shared link

Company: Open-Xchange

Bounty: $888

Link: https://hackerone.com/reports/194790

#13

Title: IDOR to delete images from other stores

Company: Zomato

Bounty: $600

Link: https://hackerone.com/reports/404797

#14

Title: [app.mavenlink.com] IDOR to view sensitive information

Company: Mavenlink

Bounty: $500

Link: https://hackerone.com/reports/283419

#15

Title: IDOR in activateFuelCard id allows bulk lookup of driver uuids

Company: Uber

Bounty: $500

Link: https://hackerone.com/reports/254151

#16

Title: IDOR [partners.shopify.com] — User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop

Company: Shopify

Bounty: $500

Link: https://hackerone.com/reports/243943

#17

Title: IDOR Causing Deletion of any account

Company: Ubiquiti Inc.

Bounty: $500

Link: https://hackerone.com/reports/156537

#18

Title: CSRF combined with IDOR within Document Converter exposes files

Company: Open-Xchange

Bounty: $500

Link: https://hackerone.com/reports/398316

#19

Title: IDOR on partners.uber.com allows for a driver to override administrator documents

Company: Uber

Bounty: $500

Link: https://hackerone.com/reports/194594

#20

Title: IDOR bug to See hidden slowvote of any user even when you dont have access right

Company: Phabricator

Bounty: $300

Link: https://hackerone.com/reports/661978

#21

Title: IDOR — Deleting other user’s signature via /appsuite/api/snippet?action=update (although an error is thrown)

Company: Open-Xchange

Bounty: $300

Link: https://hackerone.com/reports/199321

#22

Title: IDOR and statistics leakage in Orders

Company: Twitter

Bounty: $289

Link: https://hackerone.com/reports/544329

#23

Title: IDOR to view other user folder name

Company: Open-Xchange

Bounty: $250

Link: https://hackerone.com/reports/333767

#24

Title: IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid

Company: Zomato

Bounty: $250

Link: https://hackerone.com/reports/265258

#25

Title: Comment restriction in subsection “Workshop” of domain “steamcommunity.com” can be bypassed using IDOR

Company: Valve

Bounty: $200

Link: https://hackerone.com/reports/365504

Bonus: 10 Zero Dollars IDOR Reports

#1

Title: IDOR in Report CSV export discloses the IDs of Custom Field Attributes of Programs

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/510759

#2

Title: IDOR on HackerOne Feedback Review

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/262661

#3

Title: IDOR in changing shared file name

Company: Trint Ltd

Bounty: $0

Link: https://hackerone.com/reports/547663

#4

Title: IDOR in Bugs overview enables attacker to determine the date range a hackathon was active

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/663431

#5

Title: IDOR on Program Visibilty (Revealed / Concealed) against other team members

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/291721

#6

Title: Insecure Direct Object Reference (IDOR) Allowing me to claim other user’s photos (driving license and selfies) as mine

Company: Cuvva

Bounty: $0

Link: https://hackerone.com/reports/268167

#7

Title: Thailand — Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card

Company: Starbucks

Bounty: $0

Link: https://hackerone.com/reports/766437

#8

Title: IDOR to update folder name of other user

Company: Trint Ltd.

Bounty: $0

Link: https://hackerone.com/reports/587687

#9

Title: Metadata leakage via IDOR

Company: Polymail, Inc.

Bounty: $0

Link: https://hackerone.com/reports/762707

#10

Title: ‘cnvID’ parameter vulnerable to Insecure Direct Object References

Company: concrete5

Bounty: $0

Link: https://hackerone.com/reports/265284

I would like to thank you for your attention and I wish everybody good luck in their future findings!

--

--

Cristian Cornea

🇷🇴 Founder: Zerotak Security | Cyber Security Training Centre of Excellence (CSTCE) | SectionX.io | BSides Transylvania