IDOR To view other private users profile pictures in un.org

Hi, Ajak Amico’s welcome back to another blog. I will explain how I found IDOR vulnerability which led to see other private user's profile pictures in the un.org organization. So before starting, if you haven’t subscribed to our channel, do subscribe, guys.

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)

Follow on Instagram:AjakCybersecurity

Here I just fetched subdomains using https://subdomainfinder.c99.nl/ and used bulk URL opener extension and looked at each and every domain,

https://subdomainfinder.c99.nl/

https://chrome.google.com/webstore/detail/bulk-url-opener-extension/hgenngnjgfkdggambccohomebieocekm

As I said previously, the first step of my recon process is playing with each and every feature that is present on that site, I found a subdomain with a register and login page and many interesting features to play with, immediately created an account and fired up my burp suite, and started to notice how the request and response works for the each and every endpoints via my burp. but for every API request, there was a CSRF -token implemented to prevent from improper access control, but the only one thing which poked me was the URL identifiers weren’t encrypted

For eg: https://www.un.org/users/123456/dashboard/

I tried for ATO and AUTH bypass but nothing worked, as I already said every endpoint had a CSRF token and the site blocked my manipulated request by throwing a 403 forbidden error.

Next I came to profile picture functionality, simply uploaded a pic and checked how the request works, tried to attain stored XSS via file upload but it blocked my request stating ‘image can’t be uploaded’ Then, I uploaded a normal picture and saw the profile, it was successfully uploaded and just looked at the profile pic in a new tab and this is how my endpoint looked

https://un.org/profile/123456/default-pic/pictures-12343544

I tried to change the ‘pictures-12343544’ but nothing changed, but once I changed the ‘/profile/123456/’ It showed profile pictures of other users, which should be private. very easy right? Immediately I captured the request in the burp suite and saw no CSRF token was implemented for that specific API endpoint, and guess what overall there were 15lakh user profiles were registered💀, and I was able to fetch each and every profile picture. just for POC, I used intruder tab to fetch 100 users' profile pics created a report and submitted the report to un.org

Always play with all endpoints manually, and godfather orwa tip, Your burp suite should be always opened🔥.

Reference report:

https://hackerone.com/reports/2024284

And my lovely people, since this report hasn’t been patched I haven't disclosed the exact subdomain, and I am still waiting for a good reply. hope to hear happy news 💖Thanks for reading my blog🙏.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press the follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our Youtube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity