Change Anyone’s profile picture-Exploiting IDOR
This is my first Blog post and I will write about a Critical IDOR Vulnerability which I found on an Indian Bug Bounty Platform that allowed me to change any user’s profile image on the platform.
Hope you will like it. :)
Basically, bugdiscover is a Crowd Sourced community to secure Indian industries and also they are the first source in India to have a responsible disclosure platform.- (According to their about us)
IDOR: A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which allows attackers to manipulate these references to access unauthorized data
You can check the Owasp page also: https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
Here I am using two accounts:
Rupika Luhach as an Attacker and Test User as the Victim
Initially, I updated my profile photo to check what ID was assigned to me:
As you can see, 84 id is assigned to me. Via the same method, I identified the victim’s id as 85
- In this case, The ID assigned to me was 84
- The ID assigned to the victim was 85
I uploaded the image again and this time I changed the id parameter to 85 (referring to the victim account).
The request went successfully and the victim’s profile picture was updated!!
I have made a video POC for better understanding :)
31/10/2018 — Sending Initial Report
04/11/2018 — Verifying and confirm the Report as valid
06/11/2018 — Bugdiscover fixed the bug and updated the cvss score to 7.2
13/11/2018 — Bugdiscover asking my Bank Details and Address
15/11/2018 — Bugdiscover sent the reward and swag. (Reward Received)
08/12/2018 — Swag received
PS: I have two more issues still in the triaged state with a cvss score of 7.7 and 4.7. Once the patch is applied I will disclose them too. :)