← Back to all posts

A Tale of Confusing IDOR

Background

Hi!!

I have been bug hunting and researching web & mobile application for a while now. I used to mainly target private program either on Hackerone or Synack, but recently I'd decided to make a switch to public programs because -

1. They pay waaayyy more than private programs.
2. It's more challenging to come across a bug since the same application is tested at least a million times.
3. It helps me to make content about the bugs I come across so that I can give something back to the community.

Description

TikTok Business allows its users to create "Advertiser Accounts". The user can then edit, manage roles of other users or delete that particular advertiser account as per their needs. The deleting functionality was surprisingly available to the "Analyst" role (lower privileged) user as well. All that the lower privileged user had to do was to click on the "Close Account" button and the advertiser account would be closed even though this functionality was only available to the admin of the advertiser account. I much later realised that this is an IDOR since no prior authorisation was needed since the same HTTP request could be replayed with the different value of the "account_id" parameter and that would close some other user's advertiser account.

Vulnerable HTTP Request

POST /api/v2/bm/account/close/?org_id=XXX HTTP/2
Host: business.tiktok.com
Cookie: REDACTED
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://business.tiktok.com/manage/account?org_id=XXX
Content-Type: application/json;charset=utf-8
X-Csrftoken: REDACTED
Content-Length: 67
Origin: https://business.tiktok.com

{"account_id":"YYY","org_id":"XXX"}

Steps to Reproduce

1. Go to https://business.tiktok.com/ and log in to your account.
2. Go to "Advertiser accounts" section and click on any of the available advertiser accounts.
3. Click on the "Close" button.

4. Intercept the vulnerable HTTP request using Burp Suite.
5. Change the value of the "account_id" parameter to other user's advertiser account ID.
6. Forward the request. The response will display a confirmation message.

7. The other user's advertiser account will then be closed.

Timeline

• 10th March - Bug reported to TikTok
• 15th March - Mentioned that it's an IDOR instead of Privilege Escalation.
• 15th March to 14th April - Had to help Hackerone's triager since for some reason the "Close" button wasn't available on their end.
• 15th April - Triaged
• 19th April - Severity reduced from 6.5 to 5.3 since the value of the "account_id" parameter is a 19 digit non-incremental value
• 25th April - Resolved
• 27th April - Bounty awarded
• 3rd May - Requested for disclosure
• 17th May - Report disclosed on Hackerone

Handles

You can reach-out to me on any of these platforms -

• Twitter - https://twitter.com/_naaash_
• LinkedIn - https://www.linkedin.com/in/avinashsudheer