IDOR to delete memo from archives in usememos/memos
Dec 28th 2022
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
Proof of Concept
1) Login into your account at demo.usememos.com 2) Turn on your burpsuite proxy 3) Go to archived memos , delete one archived memo and capture the request in your burpsuite 4) Send this request to the repeater and drop the current request 5) Change the Memo ID to victims Memo ID and forward the request 6) You will see that the victims archived memo has been deleted POC video: https://drive.google.com/file/d/1iiQTBpcwnkXTvmNSdk25wIpBuZ8iRfRd/view?usp=sharing # Impact An attacker is able to delete victims archived memo's through an IDOR and cause huge impact on user "integrity"