How I discovered a critical Insecure Direct Object Reference vulnerability that allowed unauthorized access to any user profile — and how you can find similar bugs.
TL;DR: I found a critical IDOR vulnerability in a user profile API endpoint that allowed any authenticated user to view, modify, or delete any other user’s private profile data by simply changing the user ID parameter. The bug earned me a $15,000 payout after a smooth 12-day disclosure process with the vendor.
Press enter or click to view image in full size
🎯 Target & Scope
The program I was hunting on had a solid scope that included their main web application and all associated API endpoints. They specifically called out “.targetapp.com” and “.targetapp.io” as in-scope, along with their mobile API which was accessible via “api.targetapp.io”.
I always start by reading the scope three times. Sounds excessive, but I’ve missed easy wins by skimming.
The scope document mentioned they had recently launched a new profile management system as part of their platform redesign. That’s always a red flag — new code means potential security gaps.
The bounty program offered rewards from $500 (low) to $25,000 (critical), with clear severity ratings based on CVSS 3.1 scoring…