IDOR + Account Takeover leads to PII leakage

We discussed this vulnerability during Episode 91 on 18 October 2021

The first issue was that the endpoint for changing a user’s password took as an argument a user id which was not validated against the currently logged in user allowing any user to change the password to any other account providing they knew the users unique id. These ID values were thankfully not easily guessed.

The second issue was an IDOR on the checkout/api/user/ endpoint which would would take as one of its arguments an email address, and the response would include the associated user-id. Combining these two issues provide the ability to access any user’s accounts, any all information associated with them such as credit card and billing information.

Unfortunately, the program did not pay out for this issue as authenticated testing, and testing of the signup pages were considered out-of-scope (terrible policy).