Skip to content

Latest commit

 

History

History
210 lines (209 loc) · 28.6 KB

TOPIDOR.md

File metadata and controls

210 lines (209 loc) · 28.6 KB
Raw

Top IDOR reports from HackerOne:

  1. IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 693 upvotes, $10500
  2. IDOR allow access to payments data of any user to Nord Security - 337 upvotes, $0
  3. Insecure Direct Object Reference (IDOR) - Delete Campaigns to HackerOne - 271 upvotes, $0
  4. idor allows you to delete photos and album from a gallery to Pornhub - 266 upvotes, $1500
  5. IDOR allows any user to edit others videos to Pornhub - 245 upvotes, $1500
  6. Singapore - Account Takeover via IDOR to Starbucks - 221 upvotes, $0
  7. IDOR delete any Tickets on ads.tiktok.com to TikTok - 193 upvotes, $0
  8. I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) to Yelp - 181 upvotes, $0
  9. IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 178 upvotes, $0
  10. IDOR allows an attacker to modify the links of any user to Reddit - 158 upvotes, $5000
  11. IDOR in the https://market.semrush.com/ to Semrush - 155 upvotes, $0
  12. IDOR leads to Edit Anyone's Blogs / Websites to Automattic - 144 upvotes, $0
  13. An IDOR that can lead to enumeration of a user and disclosure of email and phone number within cashier to Unikrn - 121 upvotes, $3000
  14. [api.pandao.ru] IDOR for order delivery address to Mail.ru - 120 upvotes, $3000
  15. IDOR vulnerability (Price manipulation) to Acronis - 119 upvotes, $0
  16. Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability to Reddit - 114 upvotes, $5000
  17. IDOR and statistics leakage in Orders to Twitter - 110 upvotes, $289
  18. IDOR in https://3d.cs.money/ to CS Money - 110 upvotes, $0
  19. IDOR leading to downloading of any attachment to BCM Messenger - 105 upvotes, $0
  20. IDOR leads to leak analytics of any restaurant to Uber - 103 upvotes, $2000
  21. IDOR leads to See analytics of Loyalty Program in any restaurant. to Uber - 93 upvotes, $1500
  22. IDOR for changing privacy settings on any memories to TikTok - 91 upvotes, $0
  23. IDOR on TikTok Ads Endpoint to TikTok - 88 upvotes, $2500
  24. Access User Tickets via IDOR in [widget.support.my.games] to Mail.ru - 85 upvotes, $0
  25. CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card to Yelp - 80 upvotes, $0
  26. [unibet.com] Delete messages via IDOR at /mom-api/messages/unibet_█████████@unibet/ to Kindred Group - 77 upvotes, $0
  27. IDOR via internal_api "users" endpoint to New Relic - 76 upvotes, $1500
  28. IDOR when moving contents at CrowdSignal to Automattic - 76 upvotes, $0
  29. IDOR allowing to read another user's token on the Social Media Ads service to Semrush - 76 upvotes, $0
  30. RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 70 upvotes, $0
  31. Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 69 upvotes, $0
  32. IDOR the ability to view support tickets of any user on seller platform to TikTok - 60 upvotes, $2500
  33. IDOR to view order information of users and personal information to Affirm - 56 upvotes, $500
  34. IDOR in Report CSV export discloses the IDs of Custom Field Attributes of Programs to HackerOne - 53 upvotes, $0
  35. CSRF combined with IDOR within Document Converter exposes files to Open-Xchange - 52 upvotes, $500
  36. IDOR on HackerOne Feedback Review to HackerOne - 52 upvotes, $0
  37. IDOR on Tagged People to TikTok - 52 upvotes, $0
  38. IDOR to delete images from other stores to Zomato - 50 upvotes, $600
  39. Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co to Twitter - 50 upvotes, $0
  40. IDOR of users to Mail.ru - 48 upvotes, $500
  41. IDOR in marketing calendar tool to Semrush - 48 upvotes, $0
  42. IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field to Logitech - 48 upvotes, $0
  43. IDOR with Geolocation data not stripped from images to IRCCloud - 47 upvotes, $200
  44. IDOR in sending support email upon Verifying user business domain to Trustpilot - 43 upvotes, $0
  45. IDOR - Delete technical skill assessment result & Gained Badges result of any user to LinkedIn - 37 upvotes, $0
  46. IDOR в списке пользователей по домену в relap.io to Mail.ru - 36 upvotes, $500
  47. IDOR in semrush academy to Semrush - 36 upvotes, $0
  48. IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account to EXNESS - 36 upvotes, $0
  49. China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn to Starbucks - 34 upvotes, $0
  50. IDOR: leak buyer info & Publish/Hide foreign comments to Judge.me - 34 upvotes, $0
  51. [api.pandao.ru] IDOR позволяет изменять адрес любого пользователя to Mail.ru - 33 upvotes, $1000
  52. IDOR смена email пользователя через Ситимобил Бизнес to Mail.ru - 33 upvotes, $0
  53. Sensei LMS IDOR to send message to Automattic - 33 upvotes, $0
  54. IDOR - disclosure of private videos - /api_android_v3/getUserVideos to Pornhub - 32 upvotes, $1500
  55. IDOR in editing courses to Radancy - 30 upvotes, $0
  56. No error thrown when IDOR attempted while editing address to OpenMage - 30 upvotes, $0
  57. IDOR in family pairing API to TikTok - 30 upvotes, $0
  58. IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid to Zomato - 29 upvotes, $250
  59. [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint to Zomato - 29 upvotes, $0
  60. <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> to Rockstar Games - 28 upvotes, $0
  61. Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card to Starbucks - 28 upvotes, $0
  62. Idor on the DELETE /comments/ to RGhost - 28 upvotes, $0
  63. I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure) to Yelp - 28 upvotes, $0
  64. IDOR when editing email leads to Account Takeover on Atavist to Automattic - 28 upvotes, $0
  65. [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint to New Relic - 27 upvotes, $2500
  66. Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees to Uber - 27 upvotes, $0
  67. IDOR in TalentMAP API can be abused to enumerate personal information of all the users to U.S. Department of State - 27 upvotes, $0
  68. Ability to read any emails through IDOR on Nextcloud Mail to Nextcloud - 27 upvotes, $0
  69. IDOR - Downloading all attachements if having access to a shared link to Open-Xchange - 26 upvotes, $888
  70. IDOR on www.acronis.com API lead to steal private business user information to Acronis - 26 upvotes, $100
  71. IDOR on TikTok Seller to TikTok - 25 upvotes, $500
  72. IDOR Payments Status to Omise - 25 upvotes, $100
  73. IDOR in changing shared file name to Trint Ltd - 25 upvotes, $0
  74. IDOR in Bugs overview enables attacker to determine the date range a hackathon was active to HackerOne - 25 upvotes, $0
  75. IDOR to view User Order Information to BOHEMIA INTERACTIVE a.s. - 24 upvotes, $0
  76. IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter to Topcoder - 24 upvotes, $0
  77. Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number to Starbucks - 24 upvotes, $0
  78. IDOR - Other user's delivery address disclosed to Azbuka Vkusa - 24 upvotes, $0
  79. IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 24 upvotes, $0
  80. IDOR in "external status check" API leaks data about any status check on the instance to GitLab - 23 upvotes, $610
  81. █████████ IDOR leads to disclosure of PHI/PII to U.S. Dept Of Defense - 23 upvotes, $0
  82. IDOR [mtnmobad.mtnbusiness.com.ng] to MTN Group - 23 upvotes, $0
  83. IDOR Causing Deletion of any account to Ubiquiti Inc. - 22 upvotes, $0
  84. IDOR widget.support.my.com to Mail.ru - 22 upvotes, $0
  85. IDOR in eform.molpay.com leads to see other users application forms with private data to Razer - 21 upvotes, $500
  86. IDOR to Account Takeover on https://████/index.html to U.S. Dept Of Defense - 21 upvotes, $0
  87. IDOR - Accessing other user's attachements via PUT /appsuite/api/files?action=saveAs to Open-Xchange - 20 upvotes, $888
  88. IDOR - Deleting other user's signature via /appsuite/api/snippet?action=update (although an error is thrown) to Open-Xchange - 20 upvotes, $300
  89. IDOR bug to See hidden slowvote of any user even when you dont have access right to Phabricator - 20 upvotes, $300
  90. IDOR in tracking driver logs at city-mobil.ru to Mail.ru - 20 upvotes, $150
  91. Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine to Cuvva - 20 upvotes, $0
  92. IDOR on Program Visibilty (Revealed / Concealed) against other team members to HackerOne - 20 upvotes, $0
  93. IDOR ' can change any account email and cannot retrieve his account and access it ' at https://www.miroyalcanin.cl/ to Mars - 20 upvotes, $0
  94. IDOR to update folder name of other user to Trint Ltd - 19 upvotes, $0
  95. Metadata leakage via IDOR to Polymail, Inc. - 19 upvotes, $0
  96. IDOR редактирование любого вишлиста to QIWI - 19 upvotes, $0
  97. IDOR while uploading ████ attachments at [█████████] to U.S. Dept Of Defense - 19 upvotes, $0
  98. IDOR ' can add animal to other account ' at https://www.miroyalcanin.cl/ to Mars - 19 upvotes, $0
  99. IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email to Nextcloud - 18 upvotes, $0
  100. IDOR - Ability to view unlisted products to Reverb.com - 18 upvotes, $0
  101. IDOR in activateFuelCard id allows bulk lookup of driver uuids to Uber - 18 upvotes, $0
  102. IDOR Vulnerability in Job Preferences to Glassdoor - 18 upvotes, $0
  103. GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson to Stripe - 18 upvotes, $0
  104. IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop to Shopify - 17 upvotes, $500
  105. [app.mavenlink.com] IDOR to view sensitive information to Mavenlink - 17 upvotes, $0
  106. IDOR Leads To Account Takeover Without User Interaction to MTN Group - 17 upvotes, $0
  107. IDOR in report download functionality on ads.tiktok.com to TikTok - 16 upvotes, $500
  108. IDOR of contracts on dictor.mail.ru to Mail.ru - 16 upvotes, $150
  109. IDOR - Access to private video thumbnails even if video requires password authentication to Pornhub - 16 upvotes, $0
  110. [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato to Zomato - 16 upvotes, $0
  111. Singapore - IDOR in campaign.starbucks.com.sg to Starbucks - 16 upvotes, $0
  112. relap.io IDOR to Mail.ru - 16 upvotes, $0
  113. IDOR on partners.uber.com allows for a driver to override administrator documents to Uber - 15 upvotes, $500
  114. IDOR - Folder names disclosure inside a domain, regardless of user to Open-Xchange - 15 upvotes, $250
  115. [www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users to Zomato - 15 upvotes, $100
  116. IDOR in merchant.rbmonkey.com allows deleting eShops of another user to RBKmoney - 15 upvotes, $0
  117. 'cnvID' parameter vulnerable to Insecure Direct Object References to Concrete CMS - 15 upvotes, $0
  118. idor leads to leak order information to Mail.ru - 15 upvotes, $0
  119. IDOR at 'media_code' when addings media to questions to Automattic - 15 upvotes, $0
  120. IDOR on notes to HTML injection to Palo Alto Software - 15 upvotes, $0
  121. IDOR to U.S. Dept Of Defense - 15 upvotes, $0
  122. [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users to New Relic - 14 upvotes, $1500
  123. IDOR - Leaking other user's folder names from /appsuite/api/import?action=ICA to Open-Xchange - 14 upvotes, $300
  124. IDOR allow to extract all registered email to Open-Xchange - 14 upvotes, $300
  125. IDOR on mcs.mail.ru to Mail.ru - 14 upvotes, $150
  126. IDOR on DoD Website exposes FTP users and passes linked to all accounts! to U.S. Dept Of Defense - 14 upvotes, $0
  127. IDOR in https://moneybird.com/user/accountant_company/edit(change company name) to Moneybird - 14 upvotes, $0
  128. IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in order_id parameter to Reddit - 13 upvotes, $500
  129. IDOR - setAttribute action of user object in API to Open-Xchange - 13 upvotes, $400
  130. IDOR - Deleting other user's reminders just by id to Open-Xchange - 13 upvotes, $300
  131. Vimeo.com Insecure Direct Object References Reset Password to Vimeo - 13 upvotes, $0
  132. [www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at clients/promoDataHandler.php to Zomato - 13 upvotes, $0
  133. Comment restriction in subsection "Workshop" of domain "steamcommunity.com" can be bypassed using IDOR to Valve - 13 upvotes, $0
  134. IDOR to edit test/poll/quiz on relap.io to Mail.ru - 13 upvotes, $0
  135. [Razer Pay Mobile App] IDOR within /v1_IM/friends/queryDrawRedLog allowed unauthorised access to read logs to Razer - 12 upvotes, $500
  136. IDOR to view other user folder name to Open-Xchange - 12 upvotes, $250
  137. IDOR exposes receipts of all users. to RecargaPay - 12 upvotes, $0
  138. IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user to U.S. General Services Administration - 12 upvotes, $0
  139. IDOR expire other user sessions to Shopify - 11 upvotes, $1000
  140. IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to Twitter - 11 upvotes, $0
  141. View & add to cart unlisted items via IDOR to Instacart - 11 upvotes, $0
  142. IDOR + Account Takeover [UNAUTHENTICATED] to U.S. Dept Of Defense - 11 upvotes, $0
  143. Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure to MTN Group - 11 upvotes, $0
  144. IDOR ' can delete any animal from other account ' at https://www.miroyalcanin.cl/ to Mars - 11 upvotes, $0
  145. IDOR in tender.mail.ru leading to Information Disclosure to Mail.ru - 10 upvotes, $0
  146. India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance to Starbucks - 10 upvotes, $0
  147. IDOR at https://fast.trychameleon.com/observe/v2/profiles/ via uid parameter discloses users' PII data to Topcoder - 10 upvotes, $0
  148. IDOR on stocky application-Low Stock-Varient-Settings-Columns to Shopify - 9 upvotes, $750
  149. [https://city-mobil.ru/taxiserv] IDOR leads to information disclosure to Mail.ru - 9 upvotes, $0
  150. IDOR on update user preferences to Palo Alto Software - 9 upvotes, $0
  151. IDOR zakazaka (состояние заказа и перезаказ) to Mail.ru - 9 upvotes, $0
  152. IDOR leads to Leakage an ██████████ Login Information to U.S. Dept Of Defense - 9 upvotes, $0
  153. IDOR Allows Viewer to Delete Bin's Files to Lark Technologies - 9 upvotes, $0
  154. [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References to Mail.ru - 8 upvotes, $160
  155. IDOR create accounts and verify them with original account email to WakaTime - 8 upvotes, $0
  156. IDOR to delete test/poll/quiz on relap.io to Mail.ru - 8 upvotes, $0
  157. IDOR leaking PII data via VendorId parameter to U.S. Dept Of Defense - 8 upvotes, $0
  158. Insecure direct object reference vulnerability on a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
  159. Insecure Direct Object Reference (IDOR) vulnerability in a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
  160. IDOR on https://██████ via POST UID enables database scraping to U.S. Dept Of Defense - 7 upvotes, $0
  161. IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/ to U.S. Dept Of Defense - 7 upvotes, $0
  162. IDOR allows accounts to view full name of other accounts based on email through share notes feature to New Relic - 6 upvotes, $750
  163. [c-api.city-mobil.ru] IDOR chat messages between driver and customer to Mail.ru - 6 upvotes, $150
  164. IDOR in treat subscriptions to Zomato - 6 upvotes, $100
  165. IDOR - Disable sharing to Nextcloud - 6 upvotes, $0
  166. [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover to Mail.ru - 6 upvotes, $0
  167. Full Account Take-Over of ████████ Members via IDOR to U.S. Dept Of Defense - 6 upvotes, $0
  168. View another user information with IDOR vulnerability to U.S. Dept Of Defense - 6 upvotes, $0
  169. IDOR at https://demo.sftool.gov/TwsHome/ScorecardManage/ via scorecard name to U.S. General Services Administration - 6 upvotes, $0
  170. Generating Unlimited Free Travel Gift Invites | IDOR to Airbnb - 5 upvotes, $0
  171. Insecure Direct Object Reference - access to other user/group DM's to Twitter - 5 upvotes, $0
  172. Insecure Direct Object Reference on badoo.com to Bumble - 5 upvotes, $0
  173. [auto.mail.ru] IDOR на редактирование поста любого юзера. to Mail.ru - 5 upvotes, $0
  174. Idor for firstpromoter service to Dropcontact - 5 upvotes, $0
  175. Insecure Direct Object Reference vulnerability to HackerOne - 4 upvotes, $500
  176. IDOR on https://www.eobot.com/paypal to Eobot - 4 upvotes, $0
  177. Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely to Veris - 4 upvotes, $0
  178. IDOR spam anyone's cellphone number through Cuvva app link to Cuvva - 4 upvotes, $0
  179. idor on upload profile functionality to U.S. Dept Of Defense - 4 upvotes, $0
  180. IDOR: Adding Contacts to Other User Groups to 8x8 - 4 upvotes, $0
  181. information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint to Mail.ru - 4 upvotes, $0
  182. IDOR on ███████ [HtUS] to U.S. Dept Of Defense - 4 upvotes, $0
  183. IDOR on remoing Share to Enter - 3 upvotes, $250
  184. Insecure direct object reference - have access to deleted DM's to Twitter - 3 upvotes, $0
  185. Critical IDOR - Get venue data of any organization remotely to Veris - 3 upvotes, $0
  186. Critical IDOR - Can select any Parent while creating new Venue to Veris - 3 upvotes, $0
  187. Critical IDOR - Make Rule for Any Group & Any Venue remotely to Veris - 3 upvotes, $0
  188. Critical IDOR - Get Rules of any organization remotely to Veris - 3 upvotes, $0
  189. Critical IDOR - Get anyone's Terminal Data remotely to Veris - 3 upvotes, $0
  190. Critical IDOR - Set anyone's Terminal Data remotely to Veris - 3 upvotes, $0
  191. Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper to Veris - 3 upvotes, $0
  192. Critical IDOR - Delete any terminal/gatekeeper of any organization remotely to Veris - 3 upvotes, $0
  193. Critical IDOR - Delete any rule of any organization remotely to Veris - 3 upvotes, $0
  194. Critical IDOR - Delete any venue of any organization remotely to Veris - 3 upvotes, $0
  195. Critical IDOR - Delete any group of any organization remotely to Veris - 3 upvotes, $0
  196. Insecure Direct Object Reference on API without API key to Semrush - 3 upvotes, $0
  197. Insecure Direct Object Reference on in-scope .mil website to U.S. Dept Of Defense - 3 upvotes, $0
  198. IDOR - User is able to download charts/dashboards from cross accounts to New Relic - 3 upvotes, $0
  199. Members Personal Information Leak Due to IDOR to U.S. Dept Of Defense - 3 upvotes, $0
  200. IDOR able to buy a plan with lesser fee to Automattic - 3 upvotes, $0
  201. CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to Videos of Channel whose privacy is set to Private. to Vimeo - 2 upvotes, $0
  202. Insecure Direct Object References in https://vimeo.com/forums to Vimeo - 2 upvotes, $0
  203. Insecure Direct Object References that allows to read any comment (even if it should be private) to Vimeo - 2 upvotes, $0
  204. IDOR позволяет изменить информацию о пользователе. to Mail.ru - 2 upvotes, $0
  205. IDOR - Delete Users Saved Projects to U.S. Dept Of Defense - 2 upvotes, $0
  206. Authorization bypass -> IDOR -> PII Leakage to U.S. Dept Of Defense - 2 upvotes, $0
  207. IDOR in locid parameter allowing to view others accounts Profile Locations to Yelp - 1 upvotes, $0
  208. IDOR Lead To VIEW & DELETE & Create api_key [HtUS] to U.S. Dept Of Defense - 1 upvotes, $0