How I was able to Extract Information of Other Users- Exploiting IDOR
Hello!
Today I am writing a blog about How I was able to extract the username and email of thousands of registered users on a website.
If you haven’t checked my previous blog, go check it out Here.
Let’s Continue!
Target: Knowyourmeds.com
KnowYourMeds app was created to proactively provides users with the most comprehensive information on the side effects/adverse effects of medications, medication interactions, effects of diet and lifestyle, and related research that is specific to each patient, as well as a unique and up-to-date database of user-reported adverse effects/side effects — According to their about us
So at first, I registered on the website after that to edit my details I went to “Edit Profile”
After checking the DOB and other details (Plz note the username (rupika2test) and email in the background), I fired my Burp Suite to check the parameters traveling. I intercepted the request and got the mentioned request
A PUT request was going to /api/v1/user/3892/profile endpoint containing id, email and other details of the user.
This can be an ezzzzz case of IDOR. So I changed the id from 3892 to 3891 and this happened.
I was able to see 3891’s username and Email into my account. At this point, I was like.
After reading till here, some of you might think “Not a big deal, you just changed the id”.
But the impact can be very crucial for an organization.
I went further to demonstrate the Business impact of this vulnerability. I sent this request to intruder, Modified the position to “id” and then created a list of numbers from 3800–3900 (100 requests for testing).
And all the request went successfully and I was able to see the username and email of all the registered users.
I made a 2-minute video POC too.
TIMELINE
15/1/2019 — Sent Initial Report
30/2/2019 — Verified and confirm the Report as Duplicate :(
Thanks :) Enjoyed reading ? Press the applause button below :)