Thursday, June 10, 2021

Unexpected IDOR Vulnerability in [REDACTED] - [redacted].net (Write Up)




Howdy Guys!


So first of all let me ask you a question. If you are a company owner, would you let your customers data such as their email address, phone numbers, address and other sensitive information's to be accessible to anyone specially to a malicious user? If yes then this one is not for you.

So last month a friend of mine hit me up thru my Facebook Messenger and ask me something related to bug bounty and after some few chitchats he gave a website that has a private bug bounty program and so I decided to give it a try. after a few hours of testing, I found few vulnerabilities including Insecure Direct Object Reference Vulnerability [IDOR]. I compiled all the vulnerabilities that I found and decided to report it to the program.

After a week I received a response from them and I didn't expected the amount of bounty they issue to this vulnerability [IDOR]. Since I think the reward they issue is not worth it for the reported vulnerability, I decided to ask them why is it like that and their response was "I can't give any further details as to why it earned the respective bounty!".

So long story short, I found a simple IDOR vulnerability by changing the value of one of the parameters. here's my report timeline for this issue.



 --Proof of Concept--

1. Login to your [REDACTED] account
2. Go to https://secure.[redacted].net/welcome.php?dad=domain&jc=profiles
3. If you already created a Profile, click the "More" button on it
4. Click Edit
5. After you click Edit you will go to this link https://secure.[redacted].net/welcome.php?dad=domain&jc=profiles&hs=&a=form&id=VULNERABLE
6. The parameter "id" in the link was the vulnerable parameter so if you will change the value of it into any numbers, you will be able to see other users information if you can luckily hit the exact ID of your target user.

--Live Demo-- 

https://secure.[redacted].net/welcome.php?dad=domain&jc=profiles&hs=&a=form&id=XXX<--- My Profile

https://secure.[redacted].net/welcome.php?dad=domain&jc=profiles&hs=&a=form&id=187 <--- Victim's Profile (Sample Victim)

So by changing the value of the parameter "id" you will be able to see other users information due to this vulnerable parameter.




--Timeline--

Reported: Jun 17, 2019, 4:25 PM
First Response: Jun 17, 2019, 4:29 PM
Fixed and Bounty Awarded: Jul 1, 2019, 11:44 AM
"Thank you so much for your contributions in identifying this mulfunctionality.
It has been verified and resolved.
As such based on the level of harm and risk you have earned a bounty of $2. These funds have been credited to your [REDACTED] Live Credits.
When you want them withdrawn to your PayPal account, please create a ticket with this request forgetting not to include your PayPal email address.
We are hoping to continuously hear from you while you are in the hunt of bugs."

My Follow Up Question: Jul 1, 2019, 1:44 PM
Their Follow Up and Last Response: Jul 1, 2019, 1:51 PM

"Domain name profiles are really domain name pre-registration whois preset data and don't necessarily represent the client's data. Who's data is kinda public anyway!
None the less, I can't give any further details as to why it earned the respective bounty!"


In my demo there are ID's that has my account information on it and that means that the ID doesn't belong to someone else and instead of giving and error response, it gives my account information instead.

Well, I respect the program owner's decision on this report and I hope you guys enjoy reading this write up. see you on my next write up :)

PS: The bounty is not even enough for the PayPal tax :p lmfao


"The harder you work for something, the greater you’ll feel when you achieve it."

1 comment:

  1. Lmfaooo. Great find but total shithousery from the program owners :p

    ReplyDelete