Idor That allowed me to get access to sensitive users files and share them -.-

Hamzadzworm
3 min readNov 15, 2023

Hi all, my name is Abdelkader Mouaz Know as Hamzadzworm
my twitter:
https://twitter.com/hamzadzworm

and today i will share an idor bug that allowed me to get accesst to all users files

1.while browsing website i got a share options for private files but to share them you need two things:

itemid and itemownerid.

they are long numbers so its impossible to brute force them

2.i opened a second account to check whats difference between them and i found a completely different value’s which make it more harder

3.i try to test idor by changing value of first account with second account and i found that there is an idor that allowed me to share other account files by changing itemid and ownerid value’s

severity is still low because i cant bruteforce them

i keep digging and i found that iam able invite user to my account to share some files with him but im allowed to see only the shared file im invited to, not other files

because im invited to a file now i have ownerid of victim who invited me its disclosed while viewing file.

i also have itemid of this file so i can use them from my account to re-share the file im invited to and write a message on email invite and it will be looking like the victim is the sender

here iam able to exploit idor to re-send file im invited when i dont have option to share it

so i can share it to from my account after i get his itemid and ownerid

now i shared another file from my first account(victim account) to mine(second account) and noticed that ownerid is fixed on all files because its related to the victim account

now to brute force another files value’s i need itemid of this files

i shared another file and difference in itemid value’s was just in 5 digits so all files share same owner id and (itemid with different 5 digits)

i try to bruteforce other digits via intruder but there was a rate limit

i added X-Forwarded-Host:127.0.0.1 and i didnt get blocked

so here i bypassed rate limit and i was able to brute force all other files value’s (item id’s)

now impact is:

if user shared one file with me i can get itemid and ownerid while viewing file then go to my account and share a file from my account with replacing file value’s with the victim values to re-share when im not allowed to share it and even add message on the invite email that invited user receive and it will look like victim is the one who share it and send the message

i can brute force other itemid values which mean bruteforce all other private files of user who invited me just to one file and

also share them

i hope you like it waiting for your opinion and have a great day all ❤

--

--