IDOR and Mass Assignment attacks leads to Full Account Takeover of Internal Employees

Radian ID
4 min readSep 30, 2023

--

source image : https://www.securecoding.com/blog/how-to-prevent-idor-attacks/

Hi everyone, I hope you are doing well. It’s been a while since I last published an article about my findings. In this article, I will share my discovery of how I gained full access to internal employee accounts and took control of the entire organization.

The Target

Well, since the target was private due to protect privacy, let’s assume as target.com. The target was a platform that allows individuals or organizations to create and manage online communities. It provides a range of tools and features for building, organizing, and engaging with community members. Some of the key functions of the target include:

  1. Community Creation: You can easily create online communities customized to your brand or specific topics.
  2. Discussion Forums: It provides discussion forums where members can converse, share ideas, and interact with one another.
  3. Content Sharing: Members can share content such as blog posts, images, and relevant links related to the community’s topic.
  4. Role Assignment: You can set up member roles within the community, such as administrators, moderators, or regular members.
  5. Activity Monitoring: It allows you to monitor member activities and track the community’s progress.
  6. Integration: Target.com often offers integrations with other software or services used by organizations.

It is used by various types of organizations, ranging from business brands to user communities of specific products or services. Its primary goal is to enable people to interact, collaborate, and share information within focused online communities.

Hunt Begins

So I went to the target.com and doing the basic things like register an account and logging in to the account. I discovered that I could create my organization and invite any user to join it. So, I created an organization named “laplace” and received a subdomain for it, “laplace.targetplatform.com.” I then created another account: as an victim. My victim account had the subdomain “victimlaplace.targetplatform.com.”

While exploring the victim’s pages, I noticed that I could access member pages using URLs like https://victimlaplace.targetplatform.com/member/{randomUniqID}. I copied this randomUniqID to my notepad

screenshoot from victim member pages

Next, I accessed my attacker account and edited the account while checking for Insecure Direct Object Reference (IDOR) vulnerabilities

GraphQL request when editing profiles

The ID parameter in the GraphQL request that caught my attention. I replaced the ID value with the victim’s ID that I had saved earlier and sent the request

response from the request above

The response confirmed that the request was successful, as the name of my victim account had been changed, indicating an IDOR vulnerability.

But that wasn’t done yet, in the response, I noticed an email parameter containing my victim’s email. What if I added a new parameter called “email” in the request body with my attacker’s email? (This type of bug is referred to as Mass Assignment Attacks, read more here.) So I returned to my attacker account, modified some information, and sent the request with the added “email” parameter :

Adding new parameter called email to the body request

I send that request and the response looks like this :

New parameter called newEmail is showed up

The response revealed a new parameter called “newEmail” with my attacker’s email value. I then checked my victim account and saw that a confirmation email had been sent to my attacker’s email

Confirmation email already sent to a new email

So I went to my attacker email and visit the URL from the confirmation email. The URL confirmation was like this :

Confirmation URL

I modified the host header to the victim’s subdomain, “victimlaplace.targetplatform.com,” and sent the request. This action automatically logged me out of my attacker account. I returned to my victim account to confirm if the email had been successfully changed

Email succesfully changed

Then I attempted to reset the password for the victim account and successfully logged in, gaining full access to the victim’s account and the entire organization.

Additionally, I discovered a subdomain managed by the internal teams called “blog.target.com.” I accessed the members’ pages and obtained the Owner member ID’s. This allowed me to gain access to internal accounts and take control of the entire organization.

I promptly reported this vulnerability to their security team, and it has since been resolved. That concludes my write-up. I hope you found it informative and enjoyable. Keep learning and keep exploring while staying silent.

You can bought me a coffe if you want to :

./Logout

--

--