IDOR to make comment in user’s private posts

IDOR to make comment in user’s private posts

Hello hackers, today i will show you how i can make comments in any user’s private post with IDOR.

| Understanding target

This target is for sports and exercises, its a public program. It allows the user to create his own exercise and share it with friends. You can share the result of your exercise as a post. There are two types of exercises, routes and workout, and there are three types of post privacy: public post, private post and friend only post.
You can infer each type of privacy from its name, but for clarification
Public post: Any user can see it, interact with it, and see its comments
private post: No one can see it except you
friends only post: Only people on your friends list can see it.

| the bug

while i am testing this target i created a new post and go to my profile,
when i try to make a comment in my post and intercept the request.

this is the request:

so yes under target there is ‘id’ parameter, Yes, as you think now, I thought about it, what if I put any user’s private post id. So I put the victim’s ID and sent the request, and yes

in the response ‘201 created’, i successfully added a comments in the victim’s private post.
i reported this bug and unfortunately it’s a duplicated, but this is not the reason i write this writeup, in the next writeup i will show you How could I think differently and exploit this vulnerability to get the accepted bug.

i hope you enjoy this writeup and don’t forget to like :).

my linkedin: Youssif Mohamed