This article is about a bug which i recently found in one private program where an attacker can modify or add contact details for other users integrations that are applying to go public without proper authorization . Learn about the issue, its potential impact, and the steps taken to address this security concern.
Understanding Target
Exapier(Virtual name of BBP) is a product that allows end users to integrate the web applications they use. Developer.exapier.com serves as a platform for developers to create and manage their applications, providing a space for collaboration and integration. It plays a crucial role in the Exapier ecosystem, allowing developers to publish and manage their apps seamlessly.
Bug Description
Recently, i found IDOR in developer.exapier.com platform, specifically in the functionality related to Publishing Contact Details. It enables an attacker to tamper with or insert contact details on another user’s account without the necessary authorization.
Before we move on, if you like my write-ups, please support me by liking, sharing, and clapping up to 50 times here on Medium, it’s free. Thank you.
To illustrate how this vulnerability works, here’s a step-by-step breakdown:
The Bounty
The security team at Exapier acknowledged and rewarded a bounty of $417 for the discovery of an Insecure Direct Object Reference (IDOR) vulnerability. Although the impact was categorized as Medium severity, the team provided insights into the specific context. The vulnerability was limited to Integrations applying to go public, which undergo manual review by the team.So the bounty is lower than expected to this kind of issue.
Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.
Find me on Twitter: @a13h1_
Keep Supporting, Keep Clapping, Keep Commenting.