How I was able to Extract Information of Other Users- Exploiting IDOR

Hello!

Today I am writing a blog about How I was able to extract the username and email of thousands of registered users on a website.

If you haven’t checked my previous blog, go check it out Here.

Let’s Continue!

Target: Knowyourmeds.com

KnowYourMeds app was created to proactively provides users with the most comprehensive information on the side effects/adverse effects of medications, medication interactions, effects of diet and lifestyle, and related research that is specific to each patient, as well as a unique and up-to-date database of user-reported adverse effects/side effects — According to their about us

So at first, I registered on the website after that to edit my details I went to “Edit Profile”

Edit Profile

After checking the DOB and other details (Plz note the username (rupika2test) and email in the background), I fired my Burp Suite to check the parameters traveling. I intercepted the request and got the mentioned request

Intercepted request

A PUT request was going to /api/v1/user/3892/profile endpoint containing id, email and other details of the user.

This can be an ezzzzz case of IDOR. So I changed the id from 3892 to 3891 and this happened.

Details of another user fetched.

I was able to see 3891’s username and Email into my account. At this point, I was like.

After reading till here, some of you might think “Not a big deal, you just changed the id”.

But the impact can be very crucial for an organization.

I went further to demonstrate the Business impact of this vulnerability. I sent this request to intruder, Modified the position to “id” and then created a list of numbers from 3800–3900 (100 requests for testing).

And all the request went successfully and I was able to see the username and email of all the registered users.

I made a 2-minute video POC too.

TIMELINE

15/1/2019 — Sent Initial Report

30/2/2019 — Verified and confirm the Report as Duplicate :(

Thanks :) Enjoyed reading ? Press the applause button below :)