A Simple IDOR which should not be missed on dating App ;)
Hello Again!!!
I am writing this article to give you tips on finding simple vulnerabilities.
So let’s check out how I found idor!!
It was very easy to identify endpoint for idor but how you can make it acceptable is important :D
This dating app was showing the user’s details based on some random number in this case, I just needed to identify if it’s showing other user's details or not.
Although many API endpoints were having such issues but most of them were showing publicly disclosed information.
finally, I found one interesting endpoint where you can see the user’s list of details After looking at the response there were many things showing up about user which was already publicly known for example- user’s profile name, age, city, etc.
So as I keep scowling down I saw something interesting as shown in POC
In user 1 you can see some of the unread messages, notifications, new visits etc were showing in response which was my currently logged in user details.
