My first IDOR hunting story

Hello, all my fellow security researchers! My identity goes by the name “hackergandhi,” and I have been immersed in the field of cybersecurity for the past 10 months. I’ve been learning through self-study, without any additional coaching or a formal teacher. Currently, I am just 17 years old and pursuing my studies in the 12th standard.

About Bug Bounty Program

You might find it amusing, but I have been bug hunting for almost 5 months now. During this time, I made all the typical mistakes beginners make — the most significant one being spending too many days on a single program. I used to stick to a program for only 2 to 3 days and then move on to the next one. Due to these mistakes, I was finding very few bugs.
Then, I received an invitation to a private bug bounty program on HackerOne after about one and a half months of continuous hunting. Yes, it was my first program where I spent such a long time. Unfortunately, I can’t reveal the program’s name as it was a private bug bounty program.

About My bug hunting methodology

I had prepared a comprehensive checklist for hunting on that program, and I was following it step by step. Thanks to that checklist, I found a valid bug on the 5th day — a tiny bug, but significant: “Failure to session invalidate on enabling and disabling 2FA.” During this time, I was also in the midst of my 12th-grade exams, which constrained the time I could dedicate to hunting in the program. Due to these constraints, I couldn’t hunt daily.
After approximately a month, it was time to focus on IDOR according to my checklist.

Intresting part of my hunting life

You might find it surprising, but when I sat down in front of my laptop for IDOR hunting, within just 10 minutes, I discovered my first IDOR bug of my life. However, it was classified as a P4 since it didn’t have any significant impact; it remained a low-hanging bug. Just half an hour later, I stumbled upon another IDOR, this time with a P2 severity rating. With this bug, I could delete any user’s account on the website permanently through the IDOR vulnerability. Without hesitation, I promptly reported it.

About bug

I’ll show you a screenshot of the description and also provide step-by-step reproduction images. This way, you’ll have a clear understanding of how the bug was functioning.

You can see what kind of bug it was, and it may seem simple at first glance, but finding it requires effort and patience. I appreciate your patience and thank you all from the bottom of my heart for taking the time to read this write-up.