IDOR results in deletion of others public & private memos in usememos/memos

Valid

Reported on

Dec 23rd 2022


Description

What is IDOR (Insecure Direct Object Reference)?

Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a “direct object reference,” such as a database key, query parameter, or filename.

Steps to Reproduce

1> Create two accounts > make a public/private memos with user1 & archive existing memo of user2.
2> As user 2 (attacker) delete archived memo & intercept the request.
3> Change original ID value with the victim user's (User 1) memo id & observe the response.
4> Victim users memo will be deleted.

Proof of Concept

Screenshots link: https://drive.google.com/drive/folders/12B6R5faVtPevFYk0zIfbemD0nSAfz_wu?usp=sharing

Impact

Using this vulnerability an evil user could easily delete all the available memos (Public/Private) in the entire application. Since the memos id is numeric & is sequentially incremented, it is easy to get and perform this attack scenario.

Mitigation

1> Proper access control matrix should be implemented.
2> User id should be tied up with session id.
3> Try to make memos id value instead of numerical value to some random UUID value which contains letters as well as numbers and it should not be easily guessable.

Occurrences

We are processing your report and will contact the usememos/memos team within 24 hours. 17 days ago
Gaurish Kauthankar modified the report
17 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 16 days ago
STEVEN validated this vulnerability 12 days ago
Gaurish Kauthankar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Gaurish
12 days ago

Researcher


Hi Steven, can you please assign a CVE for this issue, since the impact of this is High ?

STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
memo.go#L1-L94 has been validated
to join this conversation