IDOR chained with JWT token cracking leads to edit, view and deletion of 160000 user accounts.

Two critical vulnerabilities were identified in a public bug bounty program application’s API that compromise user data and account security. The first vulnerability allows unauthorized access to sensitive user data through an unprotected API endpoint, and the second involves the exploitation of a weak JSON Web Token (JWT) secret key, enabling attackers to impersonate users. These issues pose a significant risk to user privacy and data security.

An insecure API endpoint (/api/v1/redacted1/redacted2/:id) was found to be exposing sensitive user information. By sending a GET request to this endpoint with any valid orderID, the attacker can retrieve detailed user information in JSON format. The exposure of personal data for over 160,000 users could lead to a severe breach of user privacy. The exposed data includes:

User IDEmail addressAccount status (free or paid domain)Example handleSubscription detailsTransaction IDPayment statusRef profile nameIDOR via changing orderID of users.

The second issue involves the application’s use of a weak JWT secret key. Attackers could easily crack the secret key to manipulate JWT tokens and gain unauthorized access to user data. Once cracked, an attacker could modify the JWT payload to impersonate any user by changing the user ID found using above and submitting requests with a manipulated token.

Cracking JWT token using jwt-cracker tool and found valid “secret key”.Manipulating the JWT token using cracked secret key and user ID we found using the above IDOR.

Here, attacker was able to create auth token for 160000+ users and can perform any actions using API like edit users, view users, delete users etc.

Changing authorization token with other users token we have created.DELETE user account using manipulated tokens.

Recommendations for Mitigation:

Input Validation: Ensure only legitimate, authenticated users can access this endpoint.Authentication and Authorization: Restrict access to sensitive data with proper authentication mechanisms.Secure JWT Secret Key: Rotate the JWT secret key and use a strong, random secret for signing tokens.Implement Strong JWT Signature Verification: Verify JWT signatures properly to detect tampered tokens.

Bounty paid: 1000$

will release more findings soon, please do follow.