The source code for this blog is available on GitHub.

Blog.

A Tale of Confusing IDOR 😤

Cover Image for A Tale of Confusing IDOR 😤
Naaash
Naaash

Background:

Hi!! I have been bug hunting and researching web & mobile application for a while now. I used to mainly target private program either on Hackerone or Synack, but recently I’d decided to make a switch to public programs because -

  1. They pay waaayyy more than private programs.
  2. It’s more challenging to come across a bug since the same application is tested at least a million times.
  3. It helps me to make content about the bugs I come across so that I can give something back to the community.

Description:

TikTok Business allows its users to create “Advertiser Accounts”. The user can then edit, manage roles of other users or delete that particular advertiser account as per their needs. The deleting functionality was surprisingly available to the “Analyst” role (lower privileged) user as well. All that the lower privileged user had to do was to click on the “Close Account” button and the advertiser account would be closed even though this functionality was only available to the admin of the advertiser account. I much later realised that this is an IDOR since no prior authorisation was needed since the same HTTP request could be replayed with the different value of the “account_id" parameter and that would close some other user’s advertiser account.

Vulnerable HTTP Request:

POST /api/v2/bm/account/close/?org_id=XXX HTTP/2
Host: http://business.tiktok.com/
Cookie: REDACTED
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://business.tiktok.com/manage/account?org_id=7073111030880108545
Content-Type: application/json;charset=utf-8
X-Csrftoken: REDACTED
Content-Length: 67
Origin: https://business.tiktok.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"account_id":"YYY","org_id":"XXX"}

Steps to Reproduce:

  1. Go to https://business.tiktok.com/ and log in to your account.
  2. Go to “Advertiser accounts” section and click on any of the available advertiser accounts.
  3. Click on the “Close” button.
  4. Intercept the vulnerable HTTP request using Burp Suite.
  5. Change the value of the “account_id" parameter to other user’s advertiser account ID.
  6. Forward the request. The response will display a confirmation message.
  7. The other user’s advertiser account will then be closed.

Timeline:

  • 10th March - Bug reported to TikTok

  • 15th March - Mentioned that it’s an IDOR instead of Privilege Escalation.

  • 15th March to 14th April - Had to help Hackerone’s triager since for some reason the “Close” button wasn’t available on their end.

  • 15th April - Triaged 🙂

  • 19th April - Severity reduced from 6.5 to 5.3 since the value of the “account_id” parameter is a 19 digit non-incremental value 😔

  • 25th April - Resolved

  • 27th April - Bounty awarded 💰

  • 3rd May - Requested for disclosure

  • 17th May - Report disclosed on Hackerone

Handles:

You can reach-out to me on any of these platforms -

  • Twitter - https://twitter.com/naaash
  • LinkedIn - https://www.linkedin.com/in/avinashsudheer
  • Instagram - https://www.instagram.com/not.naash/