Last night, while casually poking around a dating application (definitely not trying to swipe right on vulnerabilities), curiosity kicked in. A few harmless parameter tweaks later… and suddenly, I wasn't just reading my own messages anymore.

Turns out, the app trusted user IDs more than it should.

None
Sitting with Tired and Sleepy

IDOR Vulnerability in Dating Application Leads to Unauthorized Message Access

Insecure Direct Object Reference (IDOR) vulnerabilities continue to be a serious threat to modern applications, and a recent finding in a dating platform highlights just how dangerous this oversight can be.

The application failed to properly validate object-level authorization, allowing an attacker to manipulate request parameters and access other users' private messages without authentication or permission.

No brute force. No exploits. Just broken access control.

When applications assume users will only request what belongs to them, privacy becomes optional — and in a dating app, that's a critical failure.

None
What is IDOR

What Went Wrong?

Imagine opening someone else's private chat not by hacking a server, but by changing a single number in a request.

That's exactly what happened in a popular dating application.

A critical Insecure Direct Object Reference (IDOR) vulnerability allowed unauthorized access to other users' private messages, conversations, and associated metadata all without proper authorization checks.

By manipulating object identifiers in backend requests, it was possible to:

  • View conversations belonging to other users
  • Access message history not tied to the authenticated account
  • In some cases, enumerate user interactions and relationships

No exploits.

How I Did is Starting it from Recon!

It all started with Recon — Can you believe it?

None
You Can't Believe

1️⃣ Find All Domains & Subdomains amass enum -passive -d target.com -o subdomains.txt

2️⃣ Resolve Live Subdomains cat subdomains.txt | httpx -silent -mc 200,403,401 -o live_subdomains.txt

3️⃣Using Nuclei which is my Best Friend [Blossom Tool] nuclei -l live_subdomains.txt

4️⃣ But, Now Nuclei haven't found this but my eye found it (that's why don't Depend on Automation too much)

"Now Found Login Page"

Logged In!

Searching for IDs for IDOR like Owl

None
Ufffffff, Searching for IDs

Finally got an ID

But Note this room_no: All of us will get Confuse how room_no will come on Dating Application

None

Thinking What would be a Room_no

None
What Would be This?

And In Response I came to know this is Message_ID where it is getting message to the corresponded ID

None
This confirms me returns of Message which was corresponded to the room_no

Now think what Hunters will do here?

And Yes "IDOR"

None
And Yes, getting Ready for Intruder

Brute Forcing the ID and Got Millions of Messages!!!

None
Successful Message of Nearly 20GB Of Chat Files.
None
Finally Won!!!

Waiting for Bounty Details From Target

None
Waiting!!

What I Did Next (The Ethical Way)

Instead of abusing the access or ignoring the issue, I:

  • Responsible disclosed the IDOR vulnerability to the application's security team.
  • Clearly demonstrated how broken object-level authorization allowed access to other users' private messages.
  • Worked with the team to validate the impact, ensuring the issue was patched and proper access controls were enforced.

Privacy deserved to be fixed not exploited.

That's it for now.

Cheers and peace out!

Want to know more about me? Read Here

Want to hack? More Follow Below:

_.mr._domy >> Eat Well → Hack Well → Snack Well