IDOR on Password Change Leads to Mass Account Takeover

What is Insecure Direct Object References (IDOR)?

This is a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly without any filters.

What is an account takeover vulnerability?

This vulnerability allows the attacker to gain unauthorized and full access to the victim’s account by exploiting the authentication flaw in the application.

Now, let's look at the bugs.

Bugs found:

• IDOR in the password change functionality

To help understand better, having IDOR vulnerability means there is a chance of horizontal privilege escalation. Which can help tamper with sensitive information across users.

IDOR in the password change functionality

While testing the application, I tried to change my password. This gave me an API endpoint that takes in two parameters. account and the new password.

When the attacker inputs a valid username, the password of that username will be successfully changed.

Escalating the bug

We can now iterate through all username from SQL Injection dumps and set a password through the vulnerable endpoint leading to a mass account takeover. This is how a simple vulnerability like IDOR if used right, can have a huge impact.

There was no an OTP verification mechanism implemented and the API endpoint didn’t have any additional parameters or headers to protect against such vulnerability. This could be evaded by having additional parameters or headers and proper validation at the backend.

I did find a few more vulnerabilities on the same website like others IDOR, No Rate Limit, Cross Site Scripting & Open Redirection, but this was the most impactful. It was quite fun overall.