IDORs Never Disappoint Me — Hacking Into Online Bookings ($$$$)

Gnana Aravind K
3 min readJun 27, 2024

--

Hey there, fellow hackers and security enthusiasts! This blog is a walkthrough about my recent experience uncovering an IDOR vulnerability that allowed unauthorized access to customer booking details. Let’s dive in!

The Hunt Begins

As a bug bounty hunter, I’m always on the lookout for interesting targets. One sunny afternoon, I was casually browsing a booking website, sipping on my coffee, when something peculiar caught my eye. The booking details page had a unique ID in the URL. My hacker senses tingled. Could it really be this easy to change the ID and access other users' information? Spoiler alert: it totally was!

What’s an IDOR, Anyway?

For those new to the term, an IDOR (Insecure Direct Object Reference) is a type of vulnerability where an attacker can manipulate the input that refers to an object directly in the URL. This can lead to unauthorized access to data. In this case, simply changing the booking ID in the URL allowed me to view different customers' booking details. You can view my profile to find more IDOR related blogs.

Putting My Detective Hat On

The target is an e-commerce site where a user can book customized products. While looking for the work flow, I tried to bypass the payment or to manipulate it and everything ended up negative. Having some hope, I made an order to investigate how stuff works and after placing the order there came my hero (IDOR).

Here’s how I went about it:
1. Access the URL: I started by accessing the booking details URL, which looked something like this: https://[company-website]/thankyoubooking/[booking_id].
2. Modify the ID: Next, I manually modified the booking ID parameter in the URL to a different value. For example, changing https://[company-website]/thankyoubooking/54000 to another number, like 54001.
3. Refresh and Repeat: I hit refresh and, lo and behold, I could see the booking details of another customer!

Feeling like Sherlock Holmes, I kept changing the ID and, to my surprise (and slight horror), I was able to access a range of booking details! It was both thrilling and alarming to see how easy it was to get unauthorized access to sensitive information. Additionally there was an option to download the booking details as PDF that even sharpened the knife. The page had data like Name, Email Id, Mobile, Pincode, Full Address, Model & Color of the product, Booking Amount,Payment Method, Payment ID, Order ID, Booking Date, Booking Time.

The Bigger Picture

Here’s why this vulnerability was a big deal:
1. Data Exposure: Unauthorized access exposed sensitive customer information like names, email IDs, mobile numbers, addresses, and booking details.
2. Privacy Violation: Customers' privacy was at risk, potentially leading to identity theft, fraud, or harassment.
3. Financial Risk: Exposure of payment-related information could lead to financial loss or fraudulent transactions.
4. Reputation Damage: The company’s failure to protect customer data could significantly harm its reputation and customer trust.

Helping to Fix the Hole

After my initial excitement, I knew it was time to responsibly disclose this vulnerability. I put on my white hat and recommended the following measures to the company:
1. Access Controls: Implement proper access controls to restrict access to booking details based on user authentication and authorization.
2. Unique IDs: Use unique, non-sequential booking identifiers that are not easily guessable or predictable.
3. Server-Side Validation: Implement server-side validation to verify the authenticity and ownership of booking requests.
4. Regular Security Checks: Conduct regular security assessments, including vulnerability scanning and penetration testing, to keep those nasty bugs at bay.

Lessons Learned and Final Thoughts

Discovering and responsibly disclosing vulnerabilities is crucial in maintaining the security and integrity of online services. This IDOR vulnerability was a clear reminder of the importance of robust access controls and regular security assessments.

To my fellow bug bounty hunters, always stay curious and keep learning. The world of cybersecurity is vast and ever-evolving. Every vulnerability you find and report makes the digital world a little safer.

Thank you for joining me on this bug bounty adventure! If you enjoyed this tale of digital detective work, follow me on Medium for more stories on cybersecurity, bug bounties, and vulnerability disclosures. Happy hacking, everyone!

Note: This blog is AI enhanced.

Connect with me here, LinkedIn & Instagram ✌️

--

--

Gnana Aravind K

Bug Bounty Hunter | Arduino & IoT Developer | Hacktivist