IDORs with unpredictable IDs are valid vulnerabilities

1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2 2 login as user1 and create project1. 4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid 5 we can find that project1 has a new proejct, even admin2 is not the...

Uber: Chain of IDORs Between U4B and Vouchers APIs Allows Attackers to View and Modify Program/Voucher Policies and to Obtain Organization Employees' PII

The security researchers discovered a number of connected IDORs in the Uber business and voucher applications. By chaining these vulnerabilities together, the researchers could retrieve information related to existing voucher policies and modify those policies for monetary gain, such as for free...

HackerOne: Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS.

@spongebhav identified a vulnerability that let a victim believe their program membership wasn't shown on their profile, when in reality, it was. This could be used to identify system users of a program when the program blocked this...