Discover the intriguing tale of how I stumbled upon an IDOR (Insecure Direct Object Reference) vulnerability in Examfit’s (Virtual Name of private program)Expense Validation system, and how this flaw had the potential to lead to unauthorized expense approvals, potentially costing companies a fortune.
An IDOR vulnerability caught my eye in Examfit’s(Not Using the orignal name of private program) Expense Validation scheme. But what’s IDOR, you ask? It’s like opening a door to a room you’re not supposed to enter — except it’s a digital room filled with sensitive data. In this case, it was the power to approve or reject expense requests on behalf of a victim company. Yes, you read that right!
Unleashing the Power of IDOR
Imagine this scenario: A company uses Examfit for expense management, and an employee submits an expense request. Now, imagine having the power to approve or reject those expenses on behalf of the company. With two accounts — one belonging to the victim’s company employee account and the other to the attacker’s company — the stage is set for some sneaky maneuvers.
Why This Matters
Now, you might be thinking, “What’s the big deal?” Well, imagine the chaos if someone can approve or reject expenses without permission. It’s like letting someone else decide what to do with your money — definitely not a good idea! If the attackers or employees use this bug to create fake expense requests and accept those themselves, companies start losing money
A Bounty Earned,
With great vulnerability discovery comes great responsibility. After alerting Examfit’s security team to this sneaky IDOR, the issue was addressed, and a well-earned $1000 bounty was awarded.
Final Thoughts
And there you have it — the story of how a little bug made a big impact and turned into a rewarding experience in the world of bug bounties.Stay curious, keep exploring, and remember that every bug found is a step towards a safer online world and increasing in your bank balance. :)
Until next time, fellow explorers!
Leave a clap if you enjoyed this read, and consider following me for more exciting content.
If you’re eager to discuss findings or dive into the world of bug bounties, you can also find me on Twitter.
Find me on Twitter: @a13h1_
Thank you everyone