.png)
8 months ago
66 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey guys, similar to my previous story, this is another very simple IDOR allowing me to login to anybodys account attending the conference virtually. I dug up some screenshots and we will just call the conference SecCon.
Due to how simple this is, there isn’t much of a background. I decided to attend the event virtually and stay in office as it was rather a small con. The day of the even I got an email with an access link.
https://www.site.org/con-location-2023The site wasn’t hosted by the conference but rather another company. When you click on the link you get brought to the screen seen below.
I logged in and realized it didn’t require a password or anything, I was just logged straight in. At first I didn’t think much of it thinking I had logged in a previous day and it saved my login but a bit later I used the same link on my phone and realized there was no password required. I then opened up the link in an icognito tab and typed in a known valid email from a user and just like that we were in said account!
This was a vendors account meaning I could message people on the sponsored companies behalf and read their messages as well. I obviously didn’t do anything more than grab this screenshot before logging out.
Bengali (Bangladesh) · 
English (United States) ·