IDOR While Connecting Social Account in Hackster.io

Hackster.io is a community dedicated to learning hardware, from beginner to pro. Share your projects and learn from other developers.

Weakness : Insecure Direct Object Reference (IDOR) CWE-639

Severity : High

Complexity : Simple~Easy

Steps to Reproduce :

1. Create a Account on Hackster.io With Email .

2. Then Logout.

3. Then Try to Login into That Account With Facebook 0Auth of Same Email .

4. This Time Hackster.io Ask the User That “We Have Found Existing User Account Registered on Same Email , Link This Two Account’s”

5. If you Check the URL of The Page .

/users/authorization/<USER-ID>/edit

6. Just Change the User ID to Any other Account , And Link Our Facebook Account to Their Email .

7. And We Got Logged into Victim’s Account Remotely .

Timeline:

Reported to Benjamin Larralde(Co-founder of Hackster.io) ~ May 31

Fixed ~ May 31

Hall of Fame:

https://hacksterio.freshdesk.com/support/solutions/articles/9000009848-i-found-a-bug-on-your-website-where-can-i-report-it-

Like what you read? Give Arbaz Hussain a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.