My First $100 Bounty: Exploiting IDOR Vulnerability in Account Section

Hey Researchers and Bug hunters!

Today, I want to take you back to a special moment in my bug bounty journey—my very first vulnerability discovery that rewarded me with $100! It was an IDOR (Insecure Direct Object Reference) vulnerability that I found in the Account section of a website, and though it seemed simple, it turned out to be a medium-severity bug that could seriously impact user privacy. This discovery taught me the value of attention to detail, and it’s a moment I’ll always remember.

This article discusses the IDOR vulnerability I discovered, which allows unauthorized access to user-uploaded photos on a website. IDOR vulnerabilities occur when an application doesn’t correctly verify whether a user is authorized to access a resource. In this case, the flaw made it possible to view users' private photos by manipulating URLs. I’ve reported this bug in multiple programs, and it’s often classified as medium severity due to the privacy risks it poses.

Start by registering on the target website and logging into your account.

Navigate to your Account section and upload a photo to your account.

After the image has been uploaded, right-click on the photo and copy the link to the image.

Open another browser and Paste the copied link into the address bar and hit enter.

You will notice that the image is still accessible, even without being logged in, confirming that the application doesn’t check for proper authentication when accessing resources.

I hope you understand how to find this issue. They will accept this as a Medium vulnerability. Thanks for reading! If it’s helpful for you, do clap and leave a comment.