I D O R to Account Takeover
by Faiyaz Ahmad
Hi everyone, hope you all are doing great. In this article, we are going to see how I found an I D O R vulnerability that allows me to hack into anyone’s account.
Before getting deep into the article, let’s talk about what is I D O R?
IDOR (Indirect Object Reference) is a web application vulnerability that allows an attacker to access files or functionality that they were not supposed to access.
Suppose there is a classroom website for teachers and students. The teachers can upload/delete/modify homework or add more students into their classroom. The students can only access homework and can submit their written work. But what if the students get access to functionality that is only supposed to used by the teachers (like what if the student can modify the assignment given by the teacher)?
As we can see from the example above, the student can access functionalities of teachers.
I hope now you get an overall idea of IDOR. Now let’s quickly jump into the vulnerability.
So I was hunting for bugs in a web application that provides similar functionalities as mentioned in the example. I already found some vulnerabilities, like C S R F and X S S, on that website. Now I wanted to find a vulnerability that can directly result in an account takeover. For that, I started testing two main things on the webpage:
1- Login flow of the web application.
2- Password Reset flow of the web application.
I started with the login functionality but didn’t find anything interesting. Then I started testing on the password reset functionality and I found this:
As we can see here, “/home/reset/user_id/reg” endpoint is used to change the user’s password. So here I tried to modify the user_id to other user’s id and BOOM! I was able to reset the password of that other user!
By using this IDOR vulnerability, I can reset any user’s account by just knowing the user’s id.
I reported this vulnerability to the organization and they fixed this issue immediately.
1- Impact matters a lot in BugBounty.
2- What is IDOR?
3- How to find IDORS.
4- Follow the road less traveled ;)
About the Author
Currently pursuing Bachelor's degree in cybersecurity. Have found multiple bugs in companies like BBC, RedBull, Nykaa etc. Living in India.
You can follow me on: