Post cover image

June 24, 2026

interesting Logic idor that allowed me to Access User Data and Private Photos

Hi again,

By Hamzadzworm

3 min read

This is Abdelkader Mouaz, also known as Hamzadzworm.

It has been a while since my last write-up.

Today, I will share an interesting IDOR I discovered in a private program.

I was working on a private program that allows users to upload private photos. Every user has an ID called "OwnerId" consisting of 12 digits, which makes it very hard to brute-force.

The first thing I noticed was the missing email verification, so you can create an account with any email address.

I created multiple accounts using different temporary email addresses, and I noticed that every account started with a specific 9-digit pattern while the last 3 digits remained the same.

None

While testing, I was trying to determine whether an IDOR existed. I uploaded photos to two different accounts and started analyzing the requests used to share photos.

None

During this process, I noticed that one of the API endpoints accepted an OwnerId and an email address as parameters when sharing photos.

None

To test for IDOR, I supplied the OwnerId of Account 2 (victim) while performing the action from Account 1 (attacker) . The application successfully shared the photos belonging to Account 2, confirming the presence of an IDOR vulnerability.

as you see here its victim photo but the person who share it is attacker

None

However, the main challenge was obtaining the 12-digit OwnerId of other users. Since the application relied on OwnerId as the identifier for accessing and sharing photos, I began investigating how these values were generated and whether they could be predicted.

I left this part and kept testing by creating accounts using email aliases, meaning emails that start with the same email name. I noticed that the first 7 digits became the same when using email aliases.

discovered that the first digits come from the first part of the email address, while the last 3 digits remain the same.

None

This means there are only two digits left to brute-force.

Let me explain further:

john = 1234567(00)890

john+1 = 1234567(12)890

john+2 = 1234567(14)890

This shows that the first part of the OwnerId comes from the email username, the last 3 digits remain the same, and only the 2 digits in the middle are left to brute-force.

To exploit this, let's say the victim's email is user@company.com. I only need to create an account using user+1@company.com, and because there is no email verification, I can log in directly .

As a result, I will get the same first 7 digits as the victim's OwnerId.

The difference will only be the two digits in the middle, which I have to brute-force.

None

This vulnerability effectively turns what should be an unguessable 12-digit identifier into a predictable value that can be enumerated with minimal effort, resulting in an IDOR and unauthorized access to users' private photos.

None None

It has been a while since I last shared a write-up, so I hope you enjoyed this one.

Have a great day, and see you in my next write-up! :)