July 1, 2026
$600 IDOR
This write-up is about how I found an IDOR that allowed me to download private content

By Rajveer
1 min read
Some details have been changed to maintain confidentiality
As always, I started by testing the target manually and understanding the application's behavior and restrictions.
The Discovery
The application allows users to publish their 3D models and choose the visibility as either public or private.
I created a model with public visibility and captured the endpoint used to fetch its details
Next, I changed the visibility to private and tested the same API endpoint again. As expected, it returned an error
At this point, I started interacting with every other endpoint that could potentially leak the model's data. While testing, I found that the download endpoint still worked
Now I only needed the model's UUID to download any private 3D model.
Obviously, the UUID was non-guessable.
Finding the UUID
I explored other sections of the application and searched for the model's name using the search bar
There were no results on the UI, so I inspected the API response and…
I found the UUID
Now I could download private 3D models, but the request required one additional parameter: file_id, which is used to track changes made to the model
Whenever a model is modified, its file_id changes.
The first thing I tried was brute-forcing the file_id It was only four digits long, and there was no rate limiting in place
With both the UUID and file_id, I was able to download private 3D models, making this a high-impact vulnerability
I reported the issue through the bug bounty program and received a reward