IDOR: Payment Fraud

Vibhurushi Chotaliya
Jun 20 · 3 min read

Hello guys

This is Vibhurushi Chotaliya. I hope you guys doing well…Today i want to share my cool finding on Bugcrowd Private Program.

I was found the IDOR vulnerability, through that i was able to do a big money fraud to company.

Let’s ROCK it…….

I got the Scope update mail from private program, then i start the hunting and observe the functionality of product and its transaction.

I add product into cart about the worth 100001 MXN (Maxican Peso) then go to the address tab then transaction tab.they have a Paypal payment gateway. I click on it and i got popup request like…

You can see request have currency parameter.i change the currency to INR. but server block me and popup request closed.Then i thought that what about the USD so i try it, and yes it is accepted. then i also try with EUR and server accept the EUR.but this is not enough……

As i said early the currency is in MXN(Mexican Peso) so…

1 MXN = 0.053 USD

And server accept the USD currency so

100001 USD = 1892256.02 MXN

Now compare original amount and converted USD amount.

100001 MXN = 1892256.02 MXN

Omg!!!!! This difference is too much big.

Yes! I’m able to change currency but why i have to pay 100001 USD actually i need to pay 100001 MXN.

Now i got a thought that…I have to choose that currency which has lower rate then MXN. so i surfing lots of for that but i was fail to validate the currency.every time popup request is block me.

Now i got idea..this is a paypal gate way let me check which currency they are allow to transaction and between them which currency has lower rate then MXN.

I got the currency list in paypal.

I Checked the rate of every currency with USD.

I got three currency which has lower rate then MXN

1 (THB)Thai Baht = 0.032 USD

1 (PHP)Philippine Peso= 0.019 USD

1 (THB)Czech Koruna = 0.044 USD

Again i click on payment with paypal and Change the currency parameter to PHP and Yes Paypal Accept this Currency.

Now You compare the currency amount

100001 MXN = 5286.70 USD

100001 PHP = 1944.22 USD

User just have to pay 1944.22 USD against 5285.70

Now you can understand how much big fraud is possible with this IDOR.

But my hope is Fail.I got a duplicate

After 1 month they reply again they change the status Unresolved and Reward me Nice bounty…

I hope guys you will learn something from this Write up…Thank you Bug Bounty Community…

Vibhurushi Chotaliya

Written by

Bug Hunter/Security Researcher