($$$$) Critical IDOR Vulnerability Leads to User Information Disclosure

My name is Muhammad Tanvir Ahmed.Recently I found a IDOR.

During a security assessment of Target.com’s account management system, I identified a critical Insecure Direct Object Reference (IDOR) vulnerability. By manipulating user IDs in API requests, I was able to access sensitive information of other users. The server’s lack of proper CSRF validation and predictable user ID patterns further exacerbated the risk. After thorough testing and additional analysis, I reported the issue, which was triaged as Critical by the platform.

I Open my target and log into my account.Go to the Account Settings and add a Visa card.After adding the card, a company creation screen appears with two options: Public and Private.I selected the Private option. The page appeared to be loading indefinitely.This indicated that the server was receiving a response, even if the UI wasn’t updating.Captured the request using Burp Suite and sent it to the repeater.The response contained my company details, including a user ID in the format:2ThB3jbnuh8ru5nNjnivYfjnwbfjin6HqRThis user ID was 32 characters long and not guessable.I modified the CSRF token in the request to a dummy value:CSRF Token: dummy tokenThe server still accepted the request and returned my company information, indicating a lack of proper CSRF validation. However, this was not impactful enough to report as a standalone issue. I am not upset after seeing 2 songs; an idea comes to my mind. I saw a numeric user ID when I created my account; it’s 18356. what if I change my user id to numeric user id?I recalled that during account creation, a numeric user ID (18356) was shown.I replaced the 32-character user ID in the request with 18356 and resent it.The request worked, and I could see my account details.I created a new account and noticed the user ID was 18357, indicating that the system assigned sequential user IDs.I tested changing the user ID to 18357 and successfully accessed the information for that account.But if I reported it, it’s triage medium to high. I waste some time to find some more impact.Further investigation revealed that by directly hitting the /UserId endpoint without specifying an ID, I could retrieve all user information in the response.

Then I reported this bug and security team accept this issue within 1 day..

Always take time to explore and analyze a bug thoroughly before reporting it. Finding additional impacts can significantly increase its severity and value.

https://x.com/Tanvir0x1
https://www.linkedin.com/in/tanvir0x1/