Change Anyone’s profile picture-Exploiting IDOR

Hello Guys!!

This is my first Blog post and I will write about a Critical IDOR Vulnerability which I found on an Indian Bug Bounty Platform that allowed me to change any user’s profile image on the platform.

Hope you will like it. :)

Target: Bugdiscover

Basically, bugdiscover is a Crowd Sourced community to secure Indian industries and also they are the first source in India to have a responsible disclosure platform.- (According to their about us)

IDOR: A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which allows attackers to manipulate these references to access unauthorized data

You can check the Owasp page also: https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Reproduce :

Here I am using two accounts:

Rupika Luhach as an Attacker and Test User as the Victim

Initially, I updated my profile photo to check what ID was assigned to me:

Uploading an image to identify the userid

As you can see, 84 id is assigned to me. Via the same method, I identified the victim’s id as 85

The ID assigned to me (attacker)
  • In this case, The ID assigned to me was 84
  • The ID assigned to the victim was 85

I uploaded the image again and this time I changed the id parameter to 85 (referring to the victim account).

The request went successfully and the victim’s profile picture was updated!!

From this
Old profile image
To This
New Profile Image

I have made a video POC for better understanding :)

TIMELINE

31/10/2018 — Sending Initial Report

04/11/2018 — Verifying and confirm the Report as valid

06/11/2018 — Bugdiscover fixed the bug and updated the cvss score to 7.2

13/11/2018 — Bugdiscover asking my Bank Details and Address

15/11/2018 — Bugdiscover sent the reward and swag. (Reward Received)

08/12/2018 — Swag received

PS: I have two more issues still in the triaged state with a cvss score of 7.7 and 4.7. Once the patch is applied I will disclose them too. :)