This is Vibhurushi Chotaliya. I hope you guys doing well…Today i want to share my cool finding on Bugcrowd Private Program.
I was found the IDOR vulnerability, through that i was able to do a big money fraud to company.
Let’s ROCK it…….
I got the Scope update mail from XYZ.com private program, then i start the hunting and observe the functionality of product and its transaction.
I add product into cart about the worth 100001 MXN (Maxican Peso) then go to the address tab then transaction tab.they have a Paypal payment gateway. I click on it and i got popup request like…
You can see request have currency parameter.i change the currency to INR. but server block me and popup request closed.Then i thought that what about the USD so i try it, and yes it is accepted. then i also try with EUR and server accept the EUR.but this is not enough……
As i said early the currency is in MXN(Mexican Peso) so…
1 MXN = 0.053 USD
And server accept the USD currency so
100001 USD = 1892256.02 MXN
Now compare original amount and converted USD amount.
100001 MXN = 1892256.02 MXN
Omg!!!!! This difference is too much big.
Yes! I’m able to change currency but why i have to pay 100001 USD actually i need to pay 100001 MXN.
Now i got a thought that…I have to choose that currency which has lower rate then MXN. so i surfing lots of for that but i was fail to validate the currency.every time popup request is block me.
Now i got idea..this is a paypal gate way let me check which currency they are allow to transaction and between them which currency has lower rate then MXN.
I got the currency list in paypal.
I Checked the rate of every currency with USD.
I got three currency which has lower rate then MXN
1 (THB)Thai Baht = 0.032 USD
1 (PHP)Philippine Peso= 0.019 USD
1 (THB)Czech Koruna = 0.044 USD
Again i click on payment with paypal and Change the currency parameter to PHP and Yes Paypal Accept this Currency.
Now You compare the currency amount
100001 MXN = 5286.70 USD
100001 PHP = 1944.22 USD
User just have to pay 1944.22 USD against 5285.70
Now you can understand how much big fraud is possible with this IDOR.
But my hope is Fail.I got a duplicate
After 1 month they reply again they change the status Unresolved and Reward me Nice bounty…
I hope guys you will learn something from this Write up…Thank you Bug Bounty Community…