None

Broken access control continues to be one of the most impactful vulnerabilities in modern web applications. In this blog, I'll walk you through how a simple IDOR (Insecure Direct Object Reference) led to unauthorized access to sensitive employee data — and ultimately earned a $1000 bounty. Beyond this specific case, I discovered multiple IDOR vulnerabilities across different endpoints and parameters within the same application. Each finding was rewarded based on its severity — approximately $1000 for each P2, $450 for each P3, and $150 for each P4. By consistently identifying and responsibly reporting these issues, a seemingly simple class of vulnerability like IDOR enabled me to earn $10,000+ from a single private bug bounty program, highlighting how impactful and rewarding thorough testing of access control flaws can be.

Vulnerability Overview

Title: IDOR Leads to Access Other Users' Company PII Information Endpoint: /expense/admin/getallusers Impact: Unauthorized access to employee data across different organizations

This vulnerability allowed an attacker to retrieve all employees' data from other companies by simply modifying a parameter in a POST request.

🧪 Steps to Reproduce Navigate to https://example.com/ and log in using the provided test credentials, then go to Me → Expense Management, which redirects you to a new dashboard; from there, access Configuration → Users and intercept the request using Burp Suite. Identify the vulnerable API call POST /expensemanagement/admin/getallusers (Host: example.com), where the request body contains a parameter such as { "XXXXId": "XXXXXX" }. By modifying the XXXXId value to another valid ID (e.g., XXXXXX) and forwarding the request, you can successfully exploit the IDOR vulnerability.

🚨 Result

The response returns:

  • Full list of employees
  • Belonging to another organization

This confirms a classic IDOR vulnerability due to missing authorization checks.

📉 Impact

This vulnerability exposes:

  • Employee names
  • Organizational data
  • Potentially sensitive PII

An attacker could:

  • Enumerate multiple organizations
  • Harvest employee data at scale
  • Use it for phishing or further attacks

Root Cause

The application failed to:

  • Validate whether the authenticated user is authorized to access the requested XXXXId
  • Enforce object-level authorization

💡 Final Thoughts

This was a great reminder that even mature applications can have basic access control flaws. Finding such issues doesn't always require complex techniques — just curiosity and attention to detail.