.png)
4 weeks ago
23 BOOK THIS SPACE FOR AD
ARTICLE AD
T2 Again?
Yap. This time, it was an IDOR (Insecure Direct Object Reference).
Here’s how it worked: when you create a post on T2 Social, the system assigns an ID to that post. Like on other social platforms, this ID is linked to both the post and you, the author.
Whenever you attempt to delete your post, the app should verify if the post ID you’re trying to delete actually belongs to you. In other words, it checks if you’re the author of that post.
However, T2 didn’t properly check this, and that allowed an attacker to delete any post on the platform by simply swapping out their own post ID and replacing it with someone else’s.
By intercepting the DELETE request, I replaced the post ID of my logged-in account with one from another account I had created. As expected, the post belonging to the other account got deleted.
Thankfully, after reporting this bug, the team quickly fixed it, and I received another $100 bounty.
Bengali (Bangladesh) · 
English (United States) ·