IDOR to view User Order Information

Program: Bohemia interactive Bug Type: IDOR Bounty: Unspecified Date: 2017-11-06

IDOR Information-Disclosure PII-LEAK sensitive-data

Summary

The reseacher found a IDOR vulnerability in the endpoint - https://store.bistudio.com/order/1003793?confirmed=true where 1003793 is the placeholder for the ID. The id is numerical and guessable, on increasing or decreasing it, we get the Order data of other users which is PII including public IP addresses.

References

https://hackerone.com/reports/287789

← Back to Reports