An interesting idor that allowed me to See all projects ($$$$ Bounty)

Hamzadzworm
3 min readJul 9, 2022

--

Hi all today i will share an intresting i dor that i found in a one of hackerone private programs that allowed me to disclose all users private projects without there permission : )

intorduction:

it was a normal day as anyday and i get an invite from a private program so i said why dont i take a look on it so i grab a cup of coffee and enter the website and start testing it as a normal user

I made a project and make it private one then i decide to open project link in private browser and that was result

I notice that it wasnt found but before that i notice that its uploaded on main website, so i keep thinking about what to do next and i decide to go deeper and check some subdomains.

Tio: just because main domain is secure that dosent mean subdomains are also secure : )

After checking few subdomains i notice one of them that contain same login page of the main website so i directly try to login with same credinals i used in the main websites and i was surprised that i was logged in so that mean another chance for idor :D

I go to one of projects and that was result

Still didnt opened so I opened it in a new page and here was the surprise:

Its uploaded in another subdomain like that: uploads.target.com/get_image/project/577213875_282x210.png

Its clear now that i have to change project id and thats what i did and surprise was that it worked and it taked me to another user project but i wasnt clear if it disclose private projects, so i go to private browser and put my private project id that i created in first time when i opened in the main website and i was able to view it even without login.

I reported that and that was result:

Accepted rewarded and resolved as critical but i didnt stop here i keep going more deeper and i was able to get another subdomain with another function that allowed me to do same thing and i could double my bounty

I hope this article was clear and hope it gonna help some of you follow me on twitter if you want more https://twitter.com/hamzadzworm

--

--

Responses (2)