May 12, 2026
One Endpoint, One Mistake, One Catastrophe
Hello everyone,
Mohammad Hossein Nikyar
Author
Today, I want to talk about a "Broken Authorization" vulnerability that I discovered on a website. It was an IDOR (Insecure Direct Object Reference) vulnerability that led to the exposure of all users' information on the platform.
I had been testing the logical functionalities of the website for several weeks, but I couldn't find any endpoint that exposed user information directly.
However, I discovered an endpoint that allowed users' uploaded files to be deleted from the website.
The endpoint worked based on predictable object IDs, and after testing it with several accounts, I realized that the issue affected all users. I was able to delete users' files blindly.
Although that was already a serious vulnerability, I wanted to go further.
"The word 'more' is what every hacker wants."
But the real solution was hidden in a simple sentence:
"Reconnaissance is everything."
So, I started performing deeper reconnaissance and gathered all available endpoints from HTML resources and JavaScript files.
Eventually, I found an endpoint that caught my attention:
/users/user_file_datatable/ID/users/user_file_datatable/IDI tested it with my own object ID and successfully retrieved my account information.
At this stage, it was important not to rush. The best way to confirm the vulnerability was by testing another user's object ID.
Finally, I was able to retrieve other users' data and view sensitive information such as names, uploaded file paths, and more:
"https://sub.redacted.com/api/v1/users/42344542""https://sub.redacted.com/api/v1/users/42344542"And that was it.
Thanks for reading.