Simple IDOR vulnerability can lead to leak Email address of all users

IDOR

In this story, I am going to talk about my bug hunting journey that found the IDOR vulnerability.

IDOR vulnerability is easy to understand. But, it can be occurred as much XSS(Cross-Site Scripting) and get high severity. Because it can lead to PII(Personally Identifying Information) leak by just change object value.

I was just using various application’s functions to understand what is the application. It was shopping platform and I had a order number. So, I can check order status with the order number.

POST /v2/order-numbers/123456789/status HTTP/2
Host: *****
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: en-US, en
Accept-Encoding: gzip, deflate, br
Referer: https://*****
Authorization: ******************************
Content-Type: application/json
Content-Length: 21
Origin: https://*********
Priority: u=4
Te: trailers

As shown above request API, with order number 123456789, user can know order status.

My order number 123456789 is cancelled order. So, when I checked status of the cancelled order number, I got ‘It is cancelled order number’ error message including user’s email address connecting to the order number.

I supposed that other users’ cancelled order number will get similar error message including each users’ email address.

So, I just fuzzed 4 digit number from back to know other users’ cancelled error message that contain each users’ email.

As shown above fuzzing result, attacker can know other users’ email with the error message. Also, if the order number is not exist, server responses internal server error with status 500.

With the result of fuzzing, attacker can get a lot of email addresses and existing order numbers.

Happy hacking :)