How I was able to Extract Information of Other Users- Exploiting IDOR

Rupika Luhach
Feb 2, 2019 · 3 min read

Hello!

Today I am writing a blog about How I was able to extract the username and email of thousands of registered users on a website.

If you haven’t checked my previous blog, go check it out Here.

Let’s Continue!

Target: Knowyourmeds.com

KnowYourMeds app was created to proactively provides users with the most comprehensive information on the side effects/adverse effects of medications, medication interactions, effects of diet and lifestyle, and related research that is specific to each patient, as well as a unique and up-to-date database of user-reported adverse effects/side effects — According to their about us

So at first, I registered on the website after that to edit my details I went to “Edit Profile”

Edit Profile

After checking the DOB and other details (Plz note the username (rupika2test) and email in the background), I fired my Burp Suite to check the parameters traveling. I intercepted the request and got the mentioned request

Intercepted request

A PUT request was going to /api/v1/user/3892/profile endpoint containing id, email and other details of the user.

This can be an ezzzzz case of IDOR. So I changed the id from 3892 to 3891 and this happened.

Details of another user fetched.

I was able to see 3891’s username and Email into my account. At this point, I was like.

After reading till here, some of you might think “Not a big deal, you just changed the id”.

But the impact can be very crucial for an organization.

I went further to demonstrate the Business impact of this vulnerability. I sent this request to intruder, Modified the position to “id” and then created a list of numbers from 3800–3900 (100 requests for testing).

And all the request went successfully and I was able to see the username and email of all the registered users.

I made a 2-minute video POC too.

TIMELINE

15/1/2019 — Sent Initial Report

30/2/2019 — Verified and confirm the Report as Duplicate :(

Thanks :) Enjoyed reading ? Press the applause button below :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store