Open in app

Sign in

Write

Sign in

When an IDOR becomes EVIL > Total Data Leak😈​

Gnana Aravind K
3 min readAug 3, 2022

Hi fellow hackers and friends, This is Aravind here with another awesome article on how an IDOR bug helped me to access all user data of a website. To make it simple, the thing is I was able to get into any user account by just changing one parameter. So let’s get started…

Back Story

The target.com was an ecommerce website which was selling a single brand products(As usual I went there to buy a product😅​). After roaming all over the website, I found that the website had many functionalities and then I started testing it. Initially my goal was to bypass the payment gateway which I love doing, (Click here to read my past blog on that) but I ended up in failure and you know what, my ego started poping up their. At that time, my intention was to find a critical bug on that or bypass something that could hit the company hard. After an hour of testing for some critical bugs, I got this IDOR (IDOR never forgets to surprise you). If you don’t have any idea about IDOR, visit the below article for a clear view.

Insecure Direct Object Reference (IDOR) Vulnerability - GeeksforGeeks

One of the most crucial Vulnerabilities listed in top 10 of OWASP is Insecure Direct Object Reference Vulnerability…

www.geeksforgeeks.org

The Actual Story

I tried hard to bypass the login page with may methods and after seeing the response from the web, I got a hint. The response consists few parameters like user id, name, mail and more. Refer the below image for the request and response for a positive login.

Request and Response from the site

I noticed that there is a user_ID parameter and thought of exploiting it by changing the id number. And yes I guessed it right, while changing the id I was able to get into any user account without any authentication. My reaction was like.

By changing the user ID I went into all user account and there were almost 30K + user data in my hand.

That's why IDOR is an EVIL.

Thanks for reading this guys, hope you enjoyed and learned something here. That’s the end of this story. If you want me to take any Bug Bounty or Ethical Hacking Classes in your events, reach me out (Mail: gnanaaravind07@gmail.com) for free sessions. I luv sharing my knowledge. I too run a student community where we conduct lot of technical events for the enrichment of young people. Connect with us if you wanna explore the world and boost your career. Join us @cyberonics_official.

See you in yet another article guys, visit my profile and follow for more such content. If you have not yet followed, follow me for more awesome and help me to reach 1k followers 😊

Social Handles:

Insta -> @aravind_0x7

Twitter -> @gnana_aravind07

Infosec
Bug Bounty
Hacking
Writeup
Information Security

--

--

Gnana Aravind K

Written by Gnana Aravind K

1.2K Followers

Bug Bounty Hunter | Arduino & IoT Developer | Hacktivist

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams