IDOR and Excessive Data Exposure in Mobile Application — The Tale of an IDOR # 02

I was testing an android application in which I found an IDOR leading to victim’s account information edit.

The application allows users to create their own company with information like phone number, company description, & email address etc.

1. For testing I created 2 accounts and company in both.

2. In account A, I edit company information and captured the request in Burp Proxy.
the request looks like this,

https://target[.]com/apis/rest/users/company/[companyidA]

with in body fields which I tried to edit.

3. I sent the request to burp repeater tab and replace the companyid with companyid of account B

https://target[.]com/apis/rest/users/company/[companyidB]

and entered the information in fields which I wanted to edit and sent the request.

4. After sending the request I checked account B company information was edited as per provided without the consent of account B and knowing to it.

- Here for company id it was guessable digits, which any attacker can gain using fuzzing. Which I also did using Burp Intruder tab.

- Here another issue was that the API was also vulnerable to excessive data exposure means the company’s email address, phone number and some other info was meant to be private but when I clicks the company view and see request in burp, it was exposing that private info too.

[For configuration with Burp Suite I used Frida and Objection tools.]

Lets connect on Linkedin: https://www.linkedin.com/in/muhammad-abdullah-32a753208/