IDOR leading to broken functionality

Hello everyone i want to share with you one of my first bugs after my first month of hunting .Firstly i want to give you the idea of program i was hunting on , it was a program that you can book hotels and flights and each of them have a tuns of function to test it , so i found a function in flight section called “Flight Alert” so what it does ? basically what it does it permits every user to create a flight alert with decided price for a ticket flight with a arrival point and pick up point for example : i want ticket from Italy to France with 200$ so i set the price alert and when a ticket is available or when the price drops it notifies the user.

so i found this endpoint that creates the flight alert and has these attributes so i started thinking to test on 2 accounts so a create an “Attacker” and “Victims” account and i decided the switch the email parameter and replace it by the victims account and see how would it reflect ,and yes like you predict it “The 403 Forbidden blown up my face” so i started to dig deeper to how to bypass the “403” message so i started changing the operateType values to and see how would reflect so i tested on the attacker account first with his own email i posted a flight alert and captured the request and change the flight alert to 2 and responds with “200 OK” but nothing happens in the front end so i tried 3 and flight alert was delete it then i understood that operateType 1 does post the flight alert and operateType 3 delete the request so i figured it out that operateType 2 edits the flight alert that you posted so i tried editing the the targetPrice and dCity and aCity parameters and so on…. till now there is not impact on anything i am just trying to understand how the function works .

Then suddenly an idea pops out of my head “what if” i change the dCity”destination” and aCity “arrival” parameters do the same value for example i edit the dCity to Italy and aCity to Italy “Remember you cant do that from the frontend page it would pops up an error saying destination must be different from the pick up point so i decided to use the operateType parameter and edit the values of the destination and pick up from the request it self

so as you can see the switch it to the same country and i tried so send the request and this time it worked fine but on the frontend gives back an error so till now still no impact…. But i see a logical bug coming so i tried with changing the “Attacker “emails with the “Victims” email and send the request and it works i so a created a flight alert on other users account without his permission this is the first logical bug so i tried so elevate the vulnerability by trying the edit or delete a user flight alert so how would i do it ? Yes using the oprateType parameter so i created a flight a alert from the “Victims” now the attacker has a flight alert and victim has one also on his account created by him

so this parameter is the ID of the flight alert so i tried switching the the victims ID by the attacker ID but if i did that without setting the destination and the pick point to the same value it would not work like when we tried switching the email a 403 will pop up so we have to change the destination and pick up point to same value to break the function then switch the ID of the flight alert to the victims ID and we try manipulate it with oprateType parameter by setting the to 2 i can edit whatever i want like the price of flight or the date but i cannot edit the dest and arrival because remember if it has 2 different value the function is broken anymore the i tried to change the oprateType value to 3 and it delete the flight alert from the victims account so as you can see i broke the whole function by adding , editing and delete the flight without victims permission all of that because of a small logical bug from the dCity and aCity parameter there is no condition in the backend checking if they are the have the same value or not and if reach this point of the write up ….Thank you i hope you

learned something new.