Topcoder: IDOR on deleting drafts on via discardDraftId parameter

ID H1:868590
Type hackerone
Reporter powerpuff
Modified 2020-05-12T14:42:17


Hi :)

On, you can see your drafts, edit or delete them. Users can delete their own drafts on<DRAFT_ID>. But there is no check and an attacker can change discardDraftId and delete all drafts.


An attacker can delete other user's drafts.