Spread the love

What is an IDOR?

Attacker, who is an authorised system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorised for and if gains access to it defines an Insecure Direct Object Reference or IDOR.

Lets say User A logs in to the system and accesses “https://affectedsite.com/month/report?user=A” to fetch a monthly report.

If the User changes the parameter “user” value to “B” as in “https://affectedsite.com/month/report?user=B”  and is able to download User B Monthly report, then the site is vulnerable to IDOR attacks.

OWASP References:

We can refer more on IDOR from OWASP Website.

Please note that IDOR is merged into “A5:2017-Broken Access Control ” in OWASP Top 10 2017 (latest release). You can find more about OWASP Top 10 here!

Vulnerability in PayTM:

PayTM uses short URLs to send SMS to the end users who book movie tickets from the app to download it. These short URLs for example will be “http://p-y.tm/15sTB

When we brute force the 5 digit alphanumeric token in the URL, we are able to access other tickets that were also booked in the same period of time which calls it to be IDOR. For example:

Short URL : http://p-y.tm/15sTB
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=403108205b1a1c28c8ef8eaeefd58129
Short URL : http://p-y.tm/15sTF
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=6dbd33e14c794cd1c85a3f47ed757332
Short URL : http://p-y.tm/15sTG
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=b371e71e0519b5d197b1b96b179a75e2
Short URL : http://p-y.tm/15sTI
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=01eb61d6e58894c9fa729bd3411961ff
Short URL : http://p-y.tm/15sTJ
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=b3525e193b0b6e43394dcc95f65b3f67
Short URL : http://p-y.tm/15sTK
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=163c4afb5ec084d300a63bb2408dc1e2
Short URL : http://p-y.tm/15sTL
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=7c3bc74af4a602bc89c01fd598e9df7a
Short URL : http://p-y.tm/15sTM
Ticket :https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=86b6c23a5c987383b32fdbff51fcd042
Short URL : http://p-y.tm/15sTU
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=4838e426bd56b6afb640478a1ed613ed
Short URL : http://p-y.tm/15sTV
Ticket : https:/apiproxy.paytm.com/v1/movies/summary?ticket_key=1e204cf11622c8563573bfd78cfd60df

Although the discovered URLs are not revealing the end user details, we are able to grab the QR Code, Movie Name, Theatre and the Show timing details!

Bug Bounty Process

Last year around March 2017, our team had reported an issue with PayTM’s short URLs that was vulnerable to IDOR attacks as per PayTM Bug Bounty process as shown below:

PayTM Team replied back to us stating that it is “DEFINED FUNCTIONALITY” and NOT A SECURITY BUG! 

Please find the email screenshot below:

We tried our best to convince them that it is a Security issue and not a good design but in vain.

Current Status

As of today as in 1st March 2018, 1 year later, the vulnerability still exists, so don’t be surprised if there is another visitor at the movie hall with the same ticket as you have if you have booked the ticket using PayTM!

Why a Public Post?

We published this post to public in order to make all the PayTM users aware of this functionality (as declared by PayTM’s Security Team). If you think this is a valid SECURITY BUG, please go ahead and share this post on your social networks using the tool below!

Hits: 126

Related articles