Top 25 IDOR Bug Bounty Reports
In this article, we will discuss IDOR vulnerability, how to find one and present 25 disclosed reports based on this issue.
What is IDOR?
IDOR stands for Insecure Direct Object Reference and it is a vulnerability in which an attacker can access sensitive information by making unauthorized references. For example, an user would retrieve his personal and confidential data by sending a request to the following URL:
https://example.com/account.php?id=24
The request collects the user ID from the URL parameter and then displays the information. But what happens when the user with ID of 24 sends the next request?
https://example.com/account.php?id=11
If the data belonging to the user with ID of 11 is returned then it is an IDOR issue.
A vulnerability like this one can occur when there is a bad/weak access control implementation or there is not at all.
Types of IDOR
- Blind IDOR: The type of IDOR in which the results of the exploitation cannot be seen in the server response. For example modifying other user private data without accessing it.
- Generic IDOR: The type of IDOR in which the results of the exploitation can be seen in the server response. For example accessing confidential data or files belonging to another user.
- IDOR with Reference to Objects: Used to access or modify an unauthorized object. For example accessing bank account information of other users by sending such a request →example.com/accounts?id={reference ID}
- IDOR with Reference to Files: Used to access an unauthorized file. For example a live chat server stores the confidential conversations in files with names as incrementing numbers and any conversation can be retrieved by just sending requests like this →example.com/1.log, example.com/2.log, example.com/3.log and so on.
How to find an IDOR in a Bug Bounty Program
The first rule in testing for an IDOR vulnerability is to catch all the requests your browser sends to the web server. Many times you will find those type of issues in URL parameters values, headers values or cookies. You will likely find encoded or hashed values and you have to decode them. For example the following link:
https://example.com/profiles.php?id=e4da3b7fbbce2345d7772b0674a318d5
The “id” URL parameter value can be easily cracked using a hash decode tool (MD5 hashed).
Also, a common place where an IDOR can occur is in the API requests, so be sure that you analyze the web application, gather all the API requests that are being sent and tamper with the requested values.
Top 25 IDOR Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users
Company: Paypal
Bounty: $10,500
#2
Title: Vimeo.com Insecure Direct Object References Reset Password
Company: Vimeo
Bounty: $5,000
#3
Title: idor allows you to delete photos and album from a gallery
Company: RedTube
Bounty: $1,500
#4
Title: IDOR allows any user to edit others videos
Company: YouPorn
Bounty: $1,500
#5
Title: IDOR — disclosure of private videos — /api_android_v3/getUserVideos
Company: PornHub
Bounty: $1,500
#6
Title: Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information
Company: Rockstar Games
Bounty: $1,400
#7
Title: IDOR widget.support.my.com
Company: Mail.ru
Bounty: $1,000
#8
Title: IDOR allow access to payments data of any user
Company: NordVPN
Bounty: $1,000
#9
Title: IDOR — Access to private video thumbnails even if video requires password authentication
Company: YouPorn
Bounty: $1,000
#10
Title: IDOR expire other user sessions
Company: Shopify
Bounty: $1,000
#11
Title: IDOR — Accessing other user’s attachements via PUT /appsuite/api/files?action=saveAs
Company: Open-Xchange
Bounty: $888
#12
Title: IDOR — Downloading all attachements if having access to a shared link
Company: Open-Xchange
Bounty: $888
#13
Title: IDOR to delete images from other stores
Company: Zomato
Bounty: $600
#14
Title: [app.mavenlink.com] IDOR to view sensitive information
Company: Mavenlink
Bounty: $500
#15
Title: IDOR in activateFuelCard id allows bulk lookup of driver uuids
Company: Uber
Bounty: $500
#16
Title: IDOR [partners.shopify.com] — User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop
Company: Shopify
Bounty: $500
#17
Title: IDOR Causing Deletion of any account
Company: Ubiquiti Inc.
Bounty: $500
#18
Title: CSRF combined with IDOR within Document Converter exposes files
Company: Open-Xchange
Bounty: $500
#19
Title: IDOR on partners.uber.com allows for a driver to override administrator documents
Company: Uber
Bounty: $500
#20
Title: IDOR bug to See hidden slowvote of any user even when you dont have access right
Company: Phabricator
Bounty: $300
#21
Title: IDOR — Deleting other user’s signature via /appsuite/api/snippet?action=update (although an error is thrown)
Company: Open-Xchange
Bounty: $300
#22
Title: IDOR and statistics leakage in Orders
Company: Twitter
Bounty: $289
#23
Title: IDOR to view other user folder name
Company: Open-Xchange
Bounty: $250
#24
Title: IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid
Company: Zomato
Bounty: $250
#25
Title: Comment restriction in subsection “Workshop” of domain “steamcommunity.com” can be bypassed using IDOR
Company: Valve
Bounty: $200
Bonus: 10 Zero Dollars IDOR Reports
#1
Title: IDOR in Report CSV export discloses the IDs of Custom Field Attributes of Programs
Company: HackerOne
Bounty: $0
#2
Title: IDOR on HackerOne Feedback Review
Company: HackerOne
Bounty: $0
#3
Title: IDOR in changing shared file name
Company: Trint Ltd
Bounty: $0
#4
Title: IDOR in Bugs overview enables attacker to determine the date range a hackathon was active
Company: HackerOne
Bounty: $0
#5
Title: IDOR on Program Visibilty (Revealed / Concealed) against other team members
Company: HackerOne
Bounty: $0
#6
Title: Insecure Direct Object Reference (IDOR) Allowing me to claim other user’s photos (driving license and selfies) as mine
Company: Cuvva
Bounty: $0
#7
Title: Thailand — Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card
Company: Starbucks
Bounty: $0
#8
Title: IDOR to update folder name of other user
Company: Trint Ltd.
Bounty: $0
#9
Title: Metadata leakage via IDOR
Company: Polymail, Inc.
Bounty: $0
#10
Title: ‘cnvID’ parameter vulnerable to Insecure Direct Object References
Company: concrete5
Bounty: $0
I would like to thank you for your attention and I wish everybody good luck in their future findings!