IDOR leading to disclosure of memos of customers .
Hello All,
This is my second blog on a vulnerability I found on a mobile application of a VDP program. Received a good bounty on it too and hope to get more such in near future.
Now lets start with it, so you all must know what a brute force attack is and what one can achieve by it. A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks.
The application was available on Play Store and it was an android application, for those who are aware of how an android application is tested then we must have a rooted devices.
So I installed the application on the rooted device and the application crashed displaying an alert message that the device is rooted.
To bypass this root detection I used MagiskHide. It hides root permission on selected apps. (Application name or icon cannot be displayed due to non disclosure policy)
Now after bypassing root detection the application was now working. So now I wanted to know the flow of the application and what are the functionality of it. Logged in using the credentials provided and started to navigate in the application. The application feature was to provide gold loan to eligible customer's and for that they have to register their personal details and after completing the KYC loan would be approved.
Don’t worry the brute force part and IDOR part is yet to come. Now as a user I completed the KYC and came to one page where user can download a report of all the personal details (which included Address, DOB, PAN, Aadhar card, Bank details etc..). Now as I clicked on download report the application prompted to open it using a browser as seen in the screen-shot below .
I clicked on just once and the report was downloaded in a pdf format and the application again displayed an alert message stating to use DOB as a password to open the report.
A user can view the report by just entering DOB in ddmmyyyy format. But wait a minute when we clicked on download report it displayed an URL with a IP address too.
I copied the URL on a txt file and saw that the end point of it were a reference number . Pasted the URL on a web browser and to my surprise the report was getting downloaded. Changed the last two digits of the ref num and surprisingly again a report got downloaded.
The URL was something like this :- http://ip add/FetchReport.aspx?refno=54321
I opened the second report and entered my DOB but was unable to open it as it said password was incorrect. This means I was able to download report of another user. What I performed here was IDOR .
What is a Insecure Direct Object Reference (IDOR) Vulnerability? In the most basic form an IDOR is an object referenced within a web application without the correct controls in place to prevent an unauthorized user directly access, either via enumeration or guessing / predicting the object. IDOR vulnerabilities typically occur when the access control mechanism uses a user-controlled parameter value, that is used to access functionality or resources directly. Typically this uses a numeric or predictable parameter value, that an attacker or malicious user could predict, brute force and then manipulate to gain access to data and/or functionality that was not intended.
I could brute force the ref number and download a whole bunch of reports of other user, but here I downloaded only few reports.
And the tuff part was how to know the DOB of other user, the hint was already in front of me . The password format ddmmyyyy , so the password can be any date eg. 01021988,02021989…. and so on.
So one of my good friend said to make hard things easy we have our favorite programming language python.
So he found a python script to enumerate the date from year 1960 to 2020. Cause the age group of people who can apply for gold loan must be above 18 only. And after few trail and error he got all the dates numbers.
Ref link :- https://stackoverflow.com/questions/59882714/python-generating-a-list-of-dates-between-two-dates
After dumping the dates in a txt file, he used pdf cracking tool John the ripper in Kali to brute force the pdf and extract the password and open the file.
That was it guys, Hope you all found this vulnerability interesting and yes do like it. :) …
Happy Hunting! ;)
