Editing Any Posts and Changing its Privacy on Edmodo

I’m writing about an IDOR vulnerability which I found on Edmodo, that allowed attacker to edit any posts as well as change the privacy state to public or private just by replacing his post id with victims while sending a post edit request.

About Edmodo:
Edmodo is a global education network that helps connect all learners with the people and resources needed to reach their full potential.

First of all, What is IDOR ?

According to OWASP:
Insecure Direct Object References occur when an application provides direct access to objects based onuser-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

At first I had reported “Changing posts privacy state to public or private” , got reply from Chip Benson saying that "I have forwarded your message to our User Trust & Safety Team." Same night, I found another idor “Editing any posts”. Wasting no time, I reported it.

Replacing the <post_id> with victim’s post id in the above request, attacker was able to edit anyone’s post. It leads to privilege escalation as an attacker can perform such a critical attack from his own account.

On the same endpoint /messages/:<post_id>.replies_threaded_json , I was able to:
1. Edit any posts.
2. Change the post privacy state to public or private.
The difference was the field am changing. The same access control applies to both.

I was in hope of bucks ?, but Edmodo doesn’t allow monetary reward, So they rewarded me with a cool swag packs (Tshirts, Hoodie, Mugs, Stickers).Edmodo Security

Edmodo IDOR Video PoC:

Thanks to Edmodo security team for fixing the issue.


4 thoughts on “Editing Any Posts and Changing its Privacy on Edmodo

Leave a Reply

Your email address will not be published. Required fields are marked *

14 + 13 =