So most of the time IDOR's are pretty straight forward, they occur when there is no proper access control mechanism in place or using weak obvious object references. One of the easiest issues to find and exploit.
In this case, this is a bit different, recently I have started testing LinkedIn, and after playing around with the application for some time, I have discovered an endpoint where users can link their Twitter accounts with LinkedIn.
Here, once twitter account is linked successfully with LinkedIn we can able to tweet our Linkedin posts on twitter along with our original posts on LinkedIn.
When linking the Twitter account I straight away started to test for IDOR as there is a POST parameter named "twitterId" with key pair value of 9 digits numeric number.
I have created another LinkedIn account B and linked the twitter account B to it. Now I have replaced the twitterId of profile A with account B while posting on LinkedIn + twitter.
Yea! 200 OK is what I got as a response. Now, I have made a quick check to see if this have worked. I went to Twitter account B and checked if there is any tweet on that account.
Unfortunately, even though I got 200 OK there is no tweet on the victim twitter account.
By changing the value to another user twitterId when posting on Linkedin failed awfully 😬.
There is also another feature where the user can unlink the Post sharing feature. I also tried to test this feature by changing the "twitterId" value to a different user's id.
Same here, even after replacing the twitterId with another user twitterId I got the same 200 OK response.
There are no identical differences between legitimate response and IDOR response. Everything is a 200 OK 👌
Moreover i'm still able to see this as well😬
This should not appear when we successfully unlink twitter from LinkedIn:
I blamed my luck and proceeded further.
Out of little curiosity, I went back and posted something on Linkedin by turning on the post sharing feature.
Weirdly I have noticed that my post didn’t appear on Twitter even when the feature is turned on. I was like..! WTF
Now, when I noticed carefully even though it appeared that the account is still linked via Twitter, the underlying unlink function executed successfully and unlinked the twitter account. So i thought this is some sort of "blind" IDOR 🧐
I really wondered if this kind of word exists in the universe. I heard Blind XSS, XXE and Blind SSRF but wtf is this Blind IDOR..?
When I went through this blog post by Bugcrowd, there is actually an section dedicated to explaining these types of issues and it explained BLIND IDOR as the follows.
" IDOR vulnerability but you may couldn’t realize of that!" -BLIND IDOR
Whenever you are testing an application, try using the feature after performing these kinds of tests, mostly it will help you to avoid false positives before reporting.
But some times it will also help us to identify these kinds of shallow blind weird vulnerabilities which will only get identified when we use or test a certain feature.
As the twitterId key pair value is a 9 digit integer, we can run a bruteforce attack on the parameter which will unlink all twitter accounts of every LinkedIn user in that range.
Reported : Tue, Sep 3, 2019, 11:47 PM
Investigation : Wed, Sep 4, 2019, 8:42 AM
Issue Resolved : Sep 12, 2019, 4:58 PM
So.. LinkedIn has this policy on Hackerone on rewards and it states that :
There is an old tweet by @brutelogic which explains this well!
Thanks for reading :)