IDOR on Password Change Leads to Mass Account Takeover

What is Insecure Direct Object References (IDOR)?

What is an account takeover vulnerability?

Bugs found:

  • IDOR in the password change functionality

IDOR in the password change functionality

Change Password API

Escalating the bug

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store