My first IDOR on hackerone

Hello all… Today, I will be sharing with you how I discovered an IDOR vulnerability on a government website.

So what is IDOR?

Insecure Direct Object Reference (IDOR) vulnerabilities are a common security flaw in which applications unintentionally expose sensitive internal objects such as files, databases, and user details.

Lets see what I found and How!

While searching on Shodan, I stumbled upon an IP address that belonged to the government of Singapore. From there, I discovered the domain example, domain.org and began looking for subdomains, eventually using the Firefox extension “Open multiple URL” to open them all at once.

While browsing the tabs, I discovered a sign-up page in a subdomain xyz.domain.org for users and created an account to access the dashboard. However, when I clicked on “My profile” it took me to the profile of the superadmin with an ID of “/profile/edit/1” where I could view personal details such as email, address, phone number, and location,