Scribd
Upload
157 views4 pages

Insecure Direct Object References Reset Password: Toufik Airane @tfairane L TEX January 5, 2015

This document summarizes an insecure direct object reference (IDOR) vulnerability found on the Vimeo.com website that allows resetting the password of any user account by manipulating the user ID in the password reset URL. The vulnerability was responsibly disclosed to Vimeo on January 5, 2015. The document provides details on how to retrieve a user's ID from their profile URL or via the Vimeo API, and then exploit the vulnerability by generating a password reset link using another user's ID. It also includes a brief overview of IDOR vulnerabilities and best practices for prevention.

Uploaded by

Sohel Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
157 views4 pages

Insecure Direct Object References Reset Password: Toufik Airane @tfairane L TEX January 5, 2015

This document summarizes an insecure direct object reference (IDOR) vulnerability found on the Vimeo.com website that allows resetting the password of any user account by manipulating the user ID in the password reset URL. The vulnerability was responsibly disclosed to Vimeo on January 5, 2015. The document provides details on how to retrieve a user's ID from their profile URL or via the Vimeo API, and then exploit the vulnerability by generating a password reset link using another user's ID. It also includes a brief overview of IDOR vulnerabilities and best practices for prevention.

Uploaded by

Sohel Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Vimeo.

com
Insecure Direct Object References
Reset Password
Toufik Airane

@tfairane

toufik.airane@gmail.com

www.tfairane.com

LATEX
January 5, 2015

Contents
1 Introduction 2
1.1 Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Proof Of Concept : IDOR 2

3 IDOR Defense Cheat Sheet 3

4 Prepare the feat 3


4.1 retrieve UserID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

5 Scenario / Exploit 3

1
1 Introduction
Hi, my name is Toufik Airane, student in IT security from University of Paris
Descartes.

1.1 Metadata
• vulnerability : Insecure Direct Object References (IDOR)
• affect : reset password of any account with userid

• media : http://tfairane.com/archives/Vimeo.IDOR.mp4
• tools : Burp Suite

1.2 Timeline
• 30/12/2014 : discovered date (Happy new year !)
• 05/01/2015 : responsible disclosure on hackerone.com

1.3 Contact
• Gmail : toufik.airane@gmail.com
• Twitter : @tfairane
• website : www.tfairane.com

Thanks to Vimeo.com staff.

2 Proof Of Concept : IDOR


Foremost, what is IDOR attack ?

A direct object reference occurs when a developer exposes a ref-


erence to an internal implementation object, such as a file, directory,
database record, or key, as a URL or form parameter. An attacker
can manipulate direct object references to access other objects with-
out authorization, unless an access control check is in place.

https://www.owasp.org/index.php/Top 10 2007-
Insecure Direct Object Reference

2
3 IDOR Defense Cheat Sheet
• Avoid exposing your private object references to users whenever possible,
such as primary keys or filenames.
• Validate any private object references extensively with an ”accept known
good” approach
• Verify authorization to all referenced objects

https://www.owasp.org/index.php/Top 10 2007-
Insecure Direct Object Reference

4 Prepare the feat


4.1 retrieve UserID
Sometimes, users can customize their url path as : http://vimeo.com/kerrytrainor
So, retrieve UserID is easy, just call Vimeo.com API.

http://vimeo.com/api/v2/kerrytrainor/info.xml
<u s e r s >
<u s e r >
<id >10272636</ id>
<d i s p l a y n a m e >Kerry Trainor </d i s p l a y n a m e >
<c r e a t e d o n >2012−02−02 14:12:45 </ c r e a t e d o n >
< i s s t a f f >1</ i s s t a f f >
...
</u s e r >
</u s e r s >
Finally. vimeo.com/user10272636

5 Scenario / Exploit
First, an attacker signup for an account and request ”forgot password”.

3
You will receive a link :
https://vimeo.com/forgot\ password/[user id]/[token]

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy