Original Post: Google Data Studio Insecure Direct Object Reference
This vulnerability was analyzed during Episode 163 on 31 October 2022
Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.
When you go to add the new/temporary template to a report a request to /persistTempReport will be made with a sourceReportId. This identifer does not have any authorization checks and can point to any report.