Critical IDOR Vulnerability on Medium?
Hello Guys,
Hope you are very well. I will tell you a little lunch adventure story of me, hope it will inspire you. When I was checking bounty services, I saw the below list on medium.
I was at lunch and I said why not give a chance at this time. So, I started to checking medium systems.
First I learned that almost everything has unique id and a lot of requests using graphql.
Then I decided to create an account to check if I can reach some others private parts.
This is the best way to find Insecure Direct Object Reference(IDOR) vulnerability.
I figure out an access control vulnerability on the medium system.
I have detected a vulnerability in access control, did I?
Let’s say I have A account and B account. Normally, A account shouldn’t access B account’s drafts right? Because my drafts should be mine.
draft stories has an id like -> ac274abe6d0
So if we take a look our drafts, medium redirects us to
https://medium.com/p/ac274abe6d0/edit?source=your_stories_page-------------------------------------
However, the id can be found. So let’s say the other draft id is 94aa1588d3d9
It consists of only 12 digits. So it can be found via bruteforce.
If you go to -> https://medium.com/p/94aa1588d3d it automatically redirects you to
https://medium.com/{{@targetnickname}}/94aa1588d3d
So also, we can find which id belongs to which user.
At least i thought so.
Detailed explanation with screenshots as a POC:
- Open drafts from test account B:
2. Open drafts from test account A:
3. Intercept the request from test account A:
4. Change the URL with the other draft id, without editing. We try to see other’s drafts:
It redirects the link with a nickname as I talked about.
5. When we follow the link, we are able to see the whole draft.
6. With a browser, it shows all the draft.
I was thinking with a small python script, I will be able to download a lot of people’s drafts with their nicknames without their permission and if someone uses his drafts as a notebook for a credit card, a hacker can steal them, and also, a hacker can steal drafted blogs for himself. But I didn’t check it because medium bug bounty has the following rule:
Rules for You
- Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
As an ethical person and ethical hacker, I always check rules before attacking. So, I tested it with cross users which are whole belong to me.
So I run to mail that to medium bug bounty team. I have started to waiting for their replies. But unfortunately the result was disappointment for me. :( Because I was missing one point. There is no rate limit and I couldn’t test it because of the above rule. And even it is classic this was a feature not a bug :D
I decided to tell you that story, bug bounty not always take you to good things, sometimes you may miss some points and you can think you found something really big. However, you know what they say. What makes kings king is not how they fall, but how they get up. You should keep trying again the next day.
Thank you for reading. Hope you enjoy it and hope it inspire you.. Special thanks to medium Bug bounty and Support team for their kind and quick response. 💮
Peace from zer0d.
