Insecure Direct Object Reference (IDOR)

Hello Hackers, Welcome back to my latest article on the Insecure Direct Object Reference flaw I found in an Android e-commerce application.

Introduction 

I'm excited to discuss our most recent research on the Insecure Direct Object Reference (IDOR) flaw. In the search of a more secure digital environment, this blog intends to provide light on the nature of this vulnerability, its possible impact on user data, and the significance of responsible disclosure.

Understanding IDOR Vulnerabilities

When an application exposes internal object references, such as database records or files, to users without the appropriate access restrictions, this is known as an insecure direct object reference (IDOR) vulnerability. Attackers can use this flaw to get access to sensitive data that they normally wouldn't be granted authorization to view, change, or delete.

The Finding:

During our extensive security research, I came across an IDOR vulnerability within the systems of a prominent organization. This discovery exemplifies the importance of thorough testing and security assessments to identify potential weaknesses that could compromise user data.

Proof of Concept (POC):

1) IDOR vulnerable endpoint in application.

2)This image contains original request of the user.

   3)This image contains manipulated with victim's id and get successful response.

 

This vulnerability might result in account takeover. But we'll talk about it at a later time. 

Thank you for reading!!