Accidental IDOR that Deleted Admin Account.

Sayaan Alam
Jan 25 · 2 min read

Hey Everyone, Last week I got invited to a private program through one of my friend Ananda Dhakal.

About the Bug

IDOR was in OWASP Top Ten — 2013 and it’s a vulnerability, which allows you to access unauthorized data due to exposed reference. Let’s move to practical scenario.

So I was testing out that program and at starting I found a normal rate limiting worth $25 😅😅 , Yeah It’s too low, I was also not happy with it.
So I started playing with requests on my burp repeater, after testing some time I didn’t get anything so I stopped and shut my mac down.
After Few Minutes I got a discord notification from admin worth $300...Guess what was that???

I was surprised and remembered that I was playing with requests, I think I had deleted it.
So I instantly went through my whole burp history and searched for delete request, Hopefully, I got It.

There was a feature On that website to add and delete team members on my account, So when I was with requests I had sent a delete request with user_id = 1, that’s why the admin account got deleted. After this, I was confirmed that I can delete anyone’s account.
I reported the bug and sent the pic. Within an hour I got my reward of $300 + 25$ For Limiting Bug. It was the fastest ever resolution in BB Carrier.

If you have questions and anything about the post you want to ask me, please contact me via twitter. I’ll have my DM open.

Guys Please Don’t Hesitate To Clap 50 Times😊

Until Next Time!

If you like my blog posts and my work, please consider checking out my “Buy me a coffee” page
https://www.buymeacoffee.com/jgUFSPu

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

    Sayaan Alam

    Written by

    15 Y/O CyberSecurity Researcher Class | Student | Acknowledged By Google, IndiaToday, Spoyl, 20+ Companies

    InfoSec Write-ups

    A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade