Hello there, Hello again. I hope that everyone is doing well. I'm back this time with another issue that I discovered on a dating service. 

Here, I'll demonstrate to you how I can view or listen to anyone's chat within an application.


What is Vulnerability: 

     I discovered an IDOR vulnerability. where I am able to view anyone's chat.

Now, let's first clarify what IDOR is: 

  The vulnerability IDOR stands for Insecure Direct Object reference. Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a “direct object reference,” such as a database key, query parameter, or filename. That indicates that the application executes user-supplied input directly. 


Now, Look for actual vulnerability:

  Because I discovered this vulnerability through a private bug bounty program and am unable to reveal the identity of the application, xyz.com will be used in this case. 

  Account takeover or flawed access control are the only vulnerabilities I concentrate on while testing a website. When I first entered the website, I discovered a few low-hanging issues, including HTML injection, stored cross-site scripting, CSRF, session misconfiguration, and weak cookie encryption. But as I said my only focus is to Takeover other user account or Broken Access Control.

  So, after some time, I learn that the application has a chat feature. I then began looking for chat functionality. And after some investigation, I find that when I access any conversation in my account, an HTTP request contains an id parameter. By changing this parameter, I may read the chat of other accounts. 


 Now let's look for steps: 

1. Access any conversation in your account first, then use Burp-suite to intercept requests.

2. Change chat-id to victim's chat-id. 

3. You will be able to read chat of other user. 


 Now let's look for POC: 

The image shows accessing chat within my account.



Image contains captured request in Burp suite.



Image demonstrates how I modified the chat-id parameter to the victim's chat-id.



Image demonstrates that I can access the victim's conversation.

 

Hopefully, you learn something new. Have a great time everyone and thank’s for reading!!