2 matches found
Shopify: Access to Private Photos of Apps in App section(IDOR)
Bug location : https://MyShop.myshopify.com/admin/apps Description : Previewing the Photo In App section Request is vulnerable to IDOR attack where changing the ID leads to Disclose Link of Private photos. Also It discloses the Shop Domain details also. The request goes through...
Meta: IDOR in Facebook Messages webcam photos
I found that photos people take with their webcam within private message conversations can be accessed without proper authorization via a photo preview mechanism. Even when the sender decides to discard the image after seeing the preview, it can later still be retrieved through this same preview...