What is IDOR/Broken Access-Control Vulnerability ?

Hey there, have you heard about IDOR or Broken Access Control vulnerability? No worries if you haven’t, let me explain it to you in simple terms. Basically, it’s a security issue that happens when an application doesn’t have proper checks and controls in place to prevent unauthorized access to data. This means that a hacker might be able to access sensitive information they shouldn’t be able to, like your personal information or even your bank account details.

Developers need to make sure that access controls are set up properly and that object IDs aren’t predictable. This will make it much harder for attackers to get into the system and keep our data safe. So, it’s important for developers to take this issue seriously and make sure they’re doing everything they can to protect our information.


The Story

Neeraj Sharma, a 20-year-old security enthusiast from India, found a critical bug on Instagram and received $49,500 from Facebook. The vulnerability was related to the editing of reel cover photos, in which an attacker could change the reel thumbnails of any Instagram user by knowing their clips_media_id (Media ID of the reel).

Neeraj started hunting on the Instagram app in December 2021, initially testing on Instagram Ads GraphQL API.

After a long search, he couldn’t find any bug, so he started searching on the Instagram reels section. After spending some time with the target, he found the point where users can edit their reels cover photo or thumbnail.

To test the vulnerability, Neeraj changed his reel thumbnail and intercepted all the HTTP requests using burp. After forwarding some requests, he discovered a vulnerable endpoint: POST /api/v1/media/configure_to_clips_cover_image/ HTTP/2.

The vulnerability allowed attackers to change reel thumbnails using specific HTTP requests. An attacker could have potentially exploited this bug to cause significant harm to Instagram users, including high-profile accounts, businesses, or even social media influencers.


Sharma Rewarded $49500

The bug was disclosed to Facebook’s Security Team, which confirmed the vulnerability and rewarded Neeraj with a $49,500 bounty for his efforts.

The reward demonstrated Facebook’s commitment to maintaining security and the importance of independent security researchers in helping companies identify and address potential vulnerabilities.

In conclusion, Neeraj Sharma discovered a critical bug in Instagram that could have had far-reaching consequences. Through his efforts, he received a significant reward from Facebook and helped improve security for all Instagram users.


How to Prevent IDOR/Broken Access-Control Vulnerability?

To prevent IDOR (Insecure Direct Object Reference) and Broken Access Control vulnerabilities, follow these comprehensive steps:

  1. Implement Role-Based Access Control (RBAC)
    RBAC helps limit user access by assigning roles based on their tasks, preventing unauthorized access.
  2. Use a Proper Session Management System
    Session management systems ensure correct authentication and authorization, preventing unauthorized access to sensitive information.
  3. Use Unique Identifiers for Objects
    Session management systems ensure correct authentication and authorization, preventing unauthorized access to sensitive information.
  4. Implement Access Control Checks
    Implement access control checks at various points in the system to ensure that users can only access data and functionalities that they are authorized to. These checks should include input validation and sanitization to prevent attackers from tampering with inputs and accessing unauthorized data.
  5. Limit the Use of Direct Object References
    Limit the use of direct object references by using indirect references or mapping tables to link objects to authorized users. This way, attackers cannot easily manipulate URLs to access unauthorized objects.
  6. Use Encryption
    Encrypt sensitive data both in transit and at rest to prevent unauthorized access to data. This can be achieved by using secure protocols such as HTTPS and SSL/TLS.

IDOR and Broken Access Control vulnerabilities can be prevented by implementing proper access control checks, unique identifiers for objects, and RBAC. Limiting direct object references and using encryption can also help prevent these types of vulnerabilities.


Link to read full write up: here

Save the PDF here

A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.



Please enter your comment!
Please enter your name here

19 − 1 =

Most Popular


- Advertisement -