IDOR to archive victims memo in usememos/memos


Reported on

Dec 28th 2022


Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

Proof of Concept

1) Login into your account at
2) Turn on your burpsuite proxy
3) Click on the three dots on the top right of the memo , click on archive and capture the request 
4) Send this request to the repeated and drop the current request
5) Change the Memo ID to victims Memo ID and forward the request 
6)  You will see that the victims memo has been archived 

POC video:

# Impact

An attacker is able to archive victims memo's through an IDOR and cause huge impact on user "integrity"
We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
STEVEN validated this vulnerability a year ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 3556ae a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation