Finding IDOR To Get User’s Details

Hello Everyone, I hope everyone is doing great. In this write-up I am going to explain how did I found an IDOR that reveals User Details in an OTT platform website. Its a private website so lets say the website is www.redacted.com

The IDOR vulnerability lies in the GET request of GET User data via mobile number. The API didn’t have any proper authorisation checks, thus allowing anyone to get details of the victim just by having the victim’s number.

Here’s how I found it.

Sent the following GET request

GET /Api/UserManagement/GetUserDetails/<PhoneNumberHere/mobile

IDOR GET PARAMETER

By adding anyone’s (VICTIM) number in the GET parameter, allowed me to view and check the victim’s details.

IDOR DETAILS

I have reported the issue to the respected company, but they didn’t replied and fixed it silently. LOL

Thanks For Reading. Will post more of my write-ups.

Leave a Reply

Your email address will not be published. Required fields are marked *

Achievements🏆

All the mentioned companies below, I have reported security vulnerabilities for which I have either received acknowledgement as Hall of Fame or received monetary reward as Bug Bounties. 

  • Telekom.
  • Sony.
  • Dell.
  • Adobe.
  • Frill.Co
  • Lenskart.
  • NCIIPC RVDP. (Goverment of India)
  • Magicpin.
  • Vercel.
  • YourDost.
  • Porche.
  • Channable.
  • OpenMoney.
  • Uizard.