What is an IDOR?
Attacker, who is an authorised system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorised for and if gains access to it defines an Insecure Direct Object Reference or IDOR.
Lets say User A logs in to the system and accesses “https://affectedsite.com/month/report?user=A” to fetch a monthly report.
If the User changes the parameter “user” value to “B” as in “https://affectedsite.com/month/report?user=B” and is able to download User B Monthly report, then the site is vulnerable to IDOR attacks.
We can refer more on IDOR from OWASP Website.
Please note that IDOR is merged into “A5:2017-Broken Access Control ” in OWASP Top 10 2017 (latest release). You can find more about OWASP Top 10 here!
Vulnerability in PayTM:
PayTM uses short URLs to send SMS to the end users who book movie tickets from the app to download it. These short URLs for example will be “http://p-y.tm/15sTB”
When we brute force the 5 digit alphanumeric token in the URL, we are able to access other tickets that were also booked in the same period of time which calls it to be IDOR. For example:
Ticket : https:/apiproxy.paytm.com/v1/m
Although the discovered URLs are not revealing the end user details, we are able to grab the QR Code, Movie Name, Theatre and the Show timing details!
Bug Bounty Process
Last year around March 2017, our team had reported an issue with PayTM’s short URLs that was vulnerable to IDOR attacks as per PayTM Bug Bounty process as shown below:
PayTM Team replied back to us stating that it is “DEFINED FUNCTIONALITY” and NOT A SECURITY BUG!
Please find the email screenshot below:
We tried our best to convince them that it is a Security issue and not a good design but in vain.
As of today as in 1st March 2018, 1 year later, the vulnerability still exists, so don’t be surprised if there is another visitor at the movie hall with the same ticket as you have if you have booked the ticket using PayTM!
Why a Public Post?
We published this post to public in order to make all the PayTM users aware of this functionality (as declared by PayTM’s Security Team). If you think this is a valid SECURITY BUG, please go ahead and share this post on your social networks using the tool below!