IDOR to delete user resources in usememos/memos

Valid

Reported on

Dec 28th 2022


Description

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

Proof of Concept

1) Login into your account at demo.usememos.com
2) Turn on your burpsuite proxy
3) Go to the resources endpoint , delete a resource and capture the request 
4) Send this request to the repeater and drop the current request
5) Change the Resource ID to victims Resource ID and forward the request 
6)  You will see that the victims memo has been archived 

POC video: https://drive.google.com/file/d/1KYrmd96u0G1pLDESopvvtLXP3w6Jjsr3/view?usp=sharing



# Impact

An attacker is able to delete victims resources through an IDOR and cause huge impact on user "integrity"
We are processing your report and will contact the usememos/memos team within 24 hours. 13 days ago
STEVEN validated this vulnerability 12 days ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae 12 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 12 days ago
ResourcesDialog.tsx#L1-L249 has been validated
to join this conversation