How I was able to delete any users’ OAUTH connections via IDOR

Mirza Muhammad Fauzan
2 min readJun 24, 2022

Whoami?

This is Muhammad Fauzan, a bug bounty hunter and a Professional penetration tester known for reporting bugs for some top notch companies.

What is IDOR?

Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.

My Methodology:

While hunting on a private program, for the security purpose let’s call it *.redacted.com, I am interesting to test a main domain because a main domain have a lot functionalities. I am doing full time job so I don't have a time for reconnaissance that’s why I just use burp suite. I added a domain into burp Target -> Scope : \.redacted\.com.

I got all subdomains api.redacted.com, accounts.redacted.com etc with endpoints and parameters in burp history. It is easy for me to test each and every URL endpoint with parameters.

Note: I performed IDOR attack only on my test accounts not on real users accounts that’s why I created two accounts for IDOR testing

I created two different accounts with different emails like attacker and victim. Now I checked out the profile settings where user can connect his any Social accounts like Google, LinkedIn, Twitter and Facebook.

Attacker Account: I connect both of accounts with Google OAUTH and then I intercepted the remove connection request into the burp then I see emailAddress parameter in a request.

Remove Connection Request:

POST /social-login/remove HTTP/2
Host: accounts.redacted.com
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 48
Origin: redacted.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

type=google&emailAddress=fozisimi123%40gmail.com

I just change the email address from above request into my other account like victim then Google connection has been successfully removed from victim account without user interaction. In this attack, Attacker just need the other user email address and he can removed any social link connected account from user account.

This is my first writeup, feedback is recommended and avoid any mistakes.

Hope you are enjoying this :)

Thanks

--

--

Mirza Muhammad Fauzan

Penetration Tester @Trillium || CEH (P) || API Security || CRTP || SRT Member || Red Teamer || Bug bounty hunter