Member-only story

How a line of code resulted in a $20,000 bug bounty from GitLab

The hidden dangers of numerical IDs

Roberto
InfoSec Write-ups
4 min readJul 31, 2022

--

Summary

Web applications have so many different objects, and it’s important to be able to uniquely identify all of these through the use of primary keys. We typically consider numerical IDs to be a good identifier; for example, we could use unique 10-digit number for each user. However, using deterministic IDs can often result in a common vulnerability insecure direct object references (IDOR). In this type of vulnerability, the web app fails to check if the attacker (let’s say user 1111) should be able to view/edit the resources of a victim (let’s say user 2222).

Usually, these vulnerabilities are not in extremely obvious places; most apps try to take IDORs into account, and you probably won’t be able to delete another user’s account from yours using IDORs. But, in places that can be overlooked, or might seem unnecessary to have an access check, there can lie hidden dangers. This is exactly what happen to GitLab when HackerOne user saltyyolk found a critical IDOR bug, resulting in a $20,000 bug bounty.

AI-Generated Image “floating numbers illustration” at craiyon.com

The Exploit

I will be going over saltyyolk’s summary and report provided at HackerOne. Please read the original summary for an in-depth technical analysis.

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Roberto

Stanford alum, Software Engineer with a passion for CyberSec, Biotech, and Sustainability. Work with me at https://www.tidallabs.io/.

No responses yet

What are your thoughts?