IDOR Vulnerability Allowed the Deletion of Any User from an Administrator Account.

Explanation

Since the bug is not yet resolved and it’s a private bug bounty program, I will refer to the platform as example.com. I have a program with a business registration function that creates an admin account, granting full administrator permissions when creating an account, allowing you to add users, groups, and policies. I decided to create two accounts: one for the attacker and one for the victim. I created a user in each account and filled out the required information: First Name, Last Name, Email, ID(optional), and Group.

After creating these users, I wanted to test if there were additional functions available for editing user information. I found two functions: update with the /updatePerson endpoint and delete with the /deletePerson endpoint. I attempted to delete a user by clicking Delete User, intercepted the request, and confirmed the user deletion. I discovered that the program uses a REST API with JSON format and includes the user id from the administrator’s attacker account.

I tried changing the ID to the user ID from the victim account that I had created.

The user from the victim account was successfully deleted.