Discover how an IDOR vulnerability allowed unauthorized budget changes in Private Program. Learn the steps to reproduce this security flaw and its potential impact on user privacy.
IDOR vulnerabilities can potentially expose user data or allow unauthorized access to sensitive features. In this blog post, I’ll walk you through a recent discovery I made while testing Examlent.com(virtual name of privat program domain), a platform where individuals seek job opportunities and employers find potential candidates. This IDOR flaw had the potential to compromise user privacy by letting an attacker manipulate a user’s budget without their consent.
The IDOR Bug
As a bug bounty hunter, my mission was to explore Examlent.com for any potential security vulnerabilities. During my testing, I discover an intriguing IDOR (Insecure Direct Object Reference) bug that allowed any user to change another user’s budget without taking over their account. The endpoint responsible for this flaw was /employers/posts/ajax/action-crud-job.php?country=us&language=en&hid=------
.
Steps to Reproduce
The Impact
The unauthorized budget change not only compromises user privacy but also potentially results in financial losses, creating significant repercussions for both the victims and the platform’s integrity.
The Bounty
This critical IDOR vulnerability raised awareness about the need for enhanced security measures. Recognizing the significance of this discovery, Examlet.com promptly awarded a bounty of $1000 to me.
Takeaway
This IDOR bug underscores the importance of continuously examining web applications for potential vulnerabilities. Security researchers should consider testing the boundaries of permissions within applications to see if they can make changes without gaining full access to another user’s account.
Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.
Find me on Twitter: @a13h1_
Keep Supporting, Keep Clapping, Keep Commenting.