I’m writing about an IDOR vulnerability which I found on Edmodo, that allowed attacker to edit any posts as well as change the privacy state to public or private just by replacing his post id with victims while sending a post edit request.
Edmodo is a global education network that helps connect all learners with the people and resources needed to reach their full potential.
First of all, What is IDOR ?
According to OWASP:
Insecure Direct Object References occur when an application provides direct access to objects based onuser-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
At first I had reported “Changing posts privacy state to public or private” , got reply from Chip Benson saying that "I have forwarded your message to our User Trust & Safety Team." Same night, I found another idor “Editing any posts”. Wasting no time, I reported it.
PUT /messages/<post_id>.replies_threaded_json?access_token=<Your_Access_Token> HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept-Encoding: gzip, deflate, br
Replacing the <post_id> with victim’s post id in the above request, attacker was able to edit anyone’s post. It leads to privilege escalation as an attacker can perform such a critical attack from his own account.
On the same endpoint
/messages/:<post_id>.replies_threaded_json , I was able to:
1. Edit any posts.
2. Change the post privacy state to public or private.
The difference was the field am changing. The same access control applies to both.
I was in hope of bucks ?, but Edmodo doesn’t allow monetary reward, So they rewarded me with a cool swag packs (Tshirts, Hoodie, Mugs, Stickers).
Edmodo IDOR Video PoC:
Thanks to Edmodo security team for fixing the issue.