I can change your profile pic on target.com without your knowledge
Hi folks! Hope you are doing great things in your life. This is Gnana Aravind with my second write-up on Medium. If you have missed my first one, where i discussed about how I hacked a website, get it here. Ok, coming back to this write-up, today I will discuss about one of my finding on target.com(can’t reveal site here) where I was able to change the profile picture of any user of that website by just knowing their user id. Isn’t it cool… Yes… Let’s start the journey.
If you are a experienced hacker, then by this time you might have catched the type of vulnerability that existed on target.com. Anyways the main reason for this issue was “Insecure Direct Object Reference” IDOR, Already heard somewhere ? If not get know about it here.
Insecure direct object references (IDOR) | Web Security Academy
In this section, we will explain what insecure direct object references (IDOR) are and describe some common…
Jumping into my finding, target.com had all the basic things like all other websites have. It had a account page which carries all information about the user and you can also set your own profile picture for your account. At first I tried to inject a xss payload which was in png, into the upload field but nothing worked out. While watching the requests and responses with burp. I noticed that when we upload a pic, the user id is mentioned in the request. After seeing this I got an idea to change my user id to somebody else user id. Quickly I created another account and tested the same. BOOM !!!
I was surprised to see that, the victims profile picture is changed now by just changing the user id. Quickly I made a report and submitted it to the security team of the website. That’s all about my finding, If you need any help in this bug, reach me out at Instagram and Follow me here on medium for more such useful write-ups, give a like and applause if this is a good write-up. Your suggestions are very much welcomed and use the comment section for that.See you soon with a new bug and write-up.
Thanks and Regards, Gnana Aravind K
We also have a community called Cyberonics, where we will be conducting useful webinars for free, follow us there to get updates on the upcoming events.