HackerOne: [IDOR] Improper Access Control on Embedded Submission Form

The researcher discovered an improper access control vulnerability that allowed them to access sensitive program information for private/inactive embedded submission forms by leveraging the form’s UUID. Even though the embedded forms were not publicly accessible, the researcher could query details like response efficiency percentage, intro text, and structured scopes by sending a GraphQL request with the UUID.

The researcher used reconnaissance techniques like waybackurls to discover old URLs containing embedded submission form UUIDs that may have been public at one point but are now private. This allowed them to obtain a list of UUIDs for various private programs.

After some discussion, HackerOne acknowledged this as a valid low severity vulnerability. The core issue relied on the fact that unpredictable UUIDs could be obtained through various means, as mentioned in HackerOne’s new Detailed Platform Standards.

HackerOne confirmed that a fix has been deployed, and the researcher verified that the vulnerability is now resolved.
Here’s the write-up if wanna read the full details of the report (with redacted sensitive info):

https://medium.com/pinoywhitehat/idor-on-hackerone-embedded-submission-form-9e59c6f044b3