IDOR While Connecting Social Account in Hackster.io

Arbaz Hussain
Jul 18, 2017 · 1 min read

Hackster.io is a community dedicated to learning hardware, from beginner to pro. Share your projects and learn from other developers.

Weakness : Insecure Direct Object Reference (IDOR) CWE-639

Severity : High

Complexity : Simple~Easy

Steps to Reproduce :

1. Create a Account on Hackster.io With Email .

2. Then Logout.

3. Then Try to Login into That Account With Facebook 0Auth of Same Email .

4. This Time Hackster.io Ask the User That “We Have Found Existing User Account Registered on Same Email , Link This Two Account’s”

5. If you Check the URL of The Page .

/users/authorization/<USER-ID>/edit

6. Just Change the User ID to Any other Account , And Link Our Facebook Account to Their Email .

7. And We Got Logged into Victim’s Account Remotely .

Timeline:

Reported to Benjamin Larralde(Co-founder of Hackster.io) ~ May 31

Fixed ~ May 31

Hall of Fame:

https://hacksterio.freshdesk.com/support/solutions/articles/9000009848-i-found-a-bug-on-your-website-where-can-i-report-it-

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store