Intro:
Security issues are important, whether you're a small startup or a major tech company. Likewise, a security researcher is always a researcher, even when searching for a life partner. 😉
Yes, you read that right. I discovered an Insecure Direct Object Reference (IDOR) vulnerability on one of the most popular matrimony websites while browsing profiles for myself.
A Tale of Two APIs
The website had secured its APIs properly. However, the mobile APIs were left exposed without the same level of protection.
One of the key features on this platform is "Favorite Profiles", where users can shortlist others who match their preferences. While exploring the app using mitmproxy, I noticed that the mobile and web platforms were calling two different APIs.
The mobile version was passing the current user's ID as a parameter, which immediately raised a red flag.
Digging Deeper, Ethically
As a responsible white-hat hacker, I didn't want to compromise anyone's data. So, I created a second account with a completely different set of preferences. From that account, I shortlisted a few profiles to create test data.
Then, I took the second account's user ID and used it in the mobile API call made from my original account.
To my surprise, the API responded with the list of profiles that had been shortlisted by the second account. This clearly confirmed the presence of an IDOR vulnerability.
Responsible Disclosure
I immediately reported the issue to the responsible team. They acknowledged the vulnerability and rolled out a fix within two days.
I can't confirm whether they considered this a security incident and followed NIST (National Institute of Standards and Technology) guidelines, but make sure you do for all security issues.
Finally, you caught two issues — one reported responsibly, and the other… well, a lifetime “unsolvable” one. 😂 Keep hunting, both bugs and matches!
ReplyDelete