BOOK THIS SPACE FOR AD
ARTICLE ADA step-by-step look at how i leverage IDOR in profile updates to hijack user accounts
Ever stumbled upon a small flaw that could lead to something big? That’s exactly what happened when I discovered an IDOR (Insecure Direct Object Reference) vulnerability in the profile update feature of an application. At first glance, it seemed harmless — just two “IDs” exposed in an API request. But after a bit of digging, I realized this simple oversight could allow anyone to take over any user’s account! In this blog, I’ll walk you through how I found this bug, how it works, and why it’s a huge security risk. Let’s dive into it!
First, I created two accounts — one as the victim and the other as the attacker.
Step : 1) Here, you can see the Victim profile.
Step:1