This is a sample blog post to show you how writing works in Hugo. You write everything in Markdown and Hugo converts it to HTML automatically.
Summary
While testing a SaaS platform’s API, I discovered multiple Insecure Direct Object Reference (IDOR) vulnerabilities that, when chained together, allowed complete account takeover of any user.
Discovery
During my initial reconnaissance, I noticed the API used sequential numeric IDs for user resources:
GET /api/v1/users/1234/profile
Changing the user ID returned another user’s profile data, including their email and phone number.
Impact
An attacker could:
- Access any user’s personal information
- Modify account settings for any user
- Chain with password reset to achieve full account takeover
CVSS Score: 9.1 (Critical)
Steps to Reproduce
- Authenticate as a normal user
- Capture the API request to
/api/v1/users/{id}/profile - Change the
{id}parameter to another user’s ID - Observe that the response contains the victim’s profile data
Remediation
The vendor implemented proper authorization checks on all API endpoints, ensuring users can only access their own resources. They also migrated from sequential IDs to UUIDs.
Timeline
- 2026-01-15 - Reported to vendor via HackerOne
- 2026-01-16 - Vendor acknowledged (triaged in under 24 hours)
- 2026-01-25 - Fix deployed to production
- 2026-02-15 - Bounty awarded
- 2026-04-20 - Public disclosure approved