Uncovering an IDOR Vulnerability in a Major Online Store

Greetings, cybersecurity enthusiasts! Following my previous blog post on revealing a logic flaw in an e-commerce website, I’m excited to walk you through my recent discovery of an IDOR vulnerability in the same major online store.

In the world of online retail, keeping customers updated on product availability is crucial for driving sales and ensuring customer satisfaction. Many online stores, including redacted.com (for privacy purposes), offer a ‘Keep me informed’ option for out-of-stock items, allowing users to receive email notifications when products are back in stock. In this blog post, I’ll discuss an Insecure Direct Object Reference (IDOR) vulnerability I discovered that allows an attacker to unsubscribe users from these updates, potentially causing the company to lose customers and sales opportunities.

The Bug: While exploring the ‘Keep me informed’ functionality on redacted.com, I realized that the platform uses a simple, ascending number-based system to manage user subscriptions for product updates. This system makes it relatively easy for an attacker to automate the process of unsubscribing users from email updates for any out-of-stock product. This issue can be classified as an Insecure Direct Object Reference (IDOR) vulnerability, as it allows an attacker to directly access and manipulate objects (in this case, user subscriptions) without proper authorization.

Understanding IDOR Vulnerabilities: An Insecure Direct Object Reference (IDOR) vulnerability arises when an application exposes internal object references without proper authorization checks. This allows attackers to access sensitive data or perform unauthorized actions. To prevent IDOR vulnerabilities, developers should implement access control mechanisms and validate user inputs.

Here’s the proof of concept (PoC) I reported to the company:

Locate the unsubscribe link in the email notification for an out-of-stock product. The link follows this format: …product-unsubscribe/product_number?delete=user_numberNotice that the user_number is in ascending order, making it simple to automate the process of unsubscribing all users with tools like Burp Suite’s Intruder.By changing the user_number and product_number values, an attacker can unsubscribe users from email updates for any out-of-stock item on redacted.com.

I reported this bug to the company, and in a few days, the company acknowledged the vulnerability and marked it as a low-impact issue, rewarding me with $60 for my efforts. While this IDOR vulnerability may not be a high-priority issue, it is essential for businesses to be aware of all potential weaknesses in their systems and address them accordingly to ensure the security and satisfaction of their customers.

If you enjoyed this post, please share it and follow my Medium account for more bug bounty insights. Thanks for your support!