IDOR While Connecting Social Account in Hackster.io
Hackster.io is a community dedicated to learning hardware, from beginner to pro. Share your projects and learn from other developers.
Weakness : Insecure Direct Object Reference (IDOR) CWE-639
Severity : High
Complexity : Simple~Easy
Steps to Reproduce :
1. Create a Account on Hackster.io With Email .
2. Then Logout.
3. Then Try to Login into That Account With Facebook 0Auth of Same Email .
4. This Time Hackster.io Ask the User That “We Have Found Existing User Account Registered on Same Email , Link This Two Account’s”
5. If you Check the URL of The Page .
6. Just Change the User ID to Any other Account , And Link Our Facebook Account to Their Email .
7. And We Got Logged into Victim’s Account Remotely .
Reported to Benjamin Larralde(Co-founder of Hackster.io) ~ May 31
Fixed ~ May 31
Hall of Fame: