OWASP top 10 bugbounty REPORTS.
Top IDOR reports from HackerOne:
- IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 693 upvotes, $10500
- IDOR allow access to payments data of any user to Nord Security - 337 upvotes, $0
- Insecure Direct Object Reference (IDOR) - Delete Campaigns to HackerOne - 271 upvotes, $0
- idor allows you to delete photos and album from a gallery to Pornhub - 266 upvotes, $1500
- IDOR allows any user to edit others videos to Pornhub - 245 upvotes, $1500
- Singapore - Account Takeover via IDOR to Starbucks - 221 upvotes, $0
- IDOR delete any Tickets on ads.tiktok.com to TikTok - 193 upvotes, $0
- I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) to Yelp - 181 upvotes, $0
- IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 178 upvotes, $0
- IDOR allows an attacker to modify the links of any user to Reddit - 158 upvotes, $5000
- IDOR in the https://market.semrush.com/ to Semrush - 155 upvotes, $0
- IDOR leads to Edit Anyone's Blogs / Websites to Automattic - 144 upvotes, $0
- An IDOR that can lead to enumeration of a user and disclosure of email and phone number within cashier to Unikrn - 121 upvotes, $3000
- [api.pandao.ru] IDOR for order delivery address to Mail.ru - 120 upvotes, $3000
- IDOR vulnerability (Price manipulation) to Acronis - 119 upvotes, $0
- Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability to Reddit - 114 upvotes, $5000
- IDOR and statistics leakage in Orders to Twitter - 110 upvotes, $289
- IDOR in https://3d.cs.money/ to CS Money - 110 upvotes, $0
- IDOR leading to downloading of any attachment to BCM Messenger - 105 upvotes, $0
- IDOR leads to leak analytics of any restaurant to Uber - 103 upvotes, $2000
- IDOR leads to See analytics of Loyalty Program in any restaurant. to Uber - 93 upvotes, $1500
- IDOR for changing privacy settings on any memories to TikTok - 91 upvotes, $0
- IDOR on TikTok Ads Endpoint to TikTok - 88 upvotes, $2500
- Access User Tickets via IDOR in [widget.support.my.games] to Mail.ru - 85 upvotes, $0
- CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card to Yelp - 80 upvotes, $0
- [unibet.com] Delete messages via IDOR at /mom-api/messages/unibet_█████████@unibet/ to Kindred Group - 77 upvotes, $0
- IDOR via internal_api "users" endpoint to New Relic - 76 upvotes, $1500
- IDOR when moving contents at CrowdSignal to Automattic - 76 upvotes, $0
- IDOR allowing to read another user's token on the Social Media Ads service to Semrush - 76 upvotes, $0
- RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ] to ██████ - 70 upvotes, $0
- Cross-Tenant IDOR ( graphql
AddRulesToPixelEvents
query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 69 upvotes, $0 - IDOR the ability to view support tickets of any user on seller platform to TikTok - 60 upvotes, $2500
- IDOR to view order information of users and personal information to Affirm - 56 upvotes, $500
- IDOR in Report CSV export discloses the IDs of Custom Field Attributes of Programs to HackerOne - 53 upvotes, $0
- CSRF combined with IDOR within Document Converter exposes files to Open-Xchange - 52 upvotes, $500
- IDOR on HackerOne Feedback Review to HackerOne - 52 upvotes, $0
- IDOR on Tagged People to TikTok - 52 upvotes, $0
- IDOR to delete images from other stores to Zomato - 50 upvotes, $600
- Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co to Twitter - 50 upvotes, $0
- IDOR of users to Mail.ru - 48 upvotes, $500
- IDOR in marketing calendar tool to Semrush - 48 upvotes, $0
- IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field to Logitech - 48 upvotes, $0
- IDOR with Geolocation data not stripped from images to IRCCloud - 47 upvotes, $200
- IDOR in sending support email upon Verifying user business domain to Trustpilot - 43 upvotes, $0
- IDOR - Delete technical skill assessment result & Gained Badges result of any user to LinkedIn - 37 upvotes, $0
- IDOR в списке пользователей по домену в relap.io to Mail.ru - 36 upvotes, $500
- IDOR in semrush academy to Semrush - 36 upvotes, $0
- IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account to EXNESS - 36 upvotes, $0
- China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn to Starbucks - 34 upvotes, $0
- IDOR: leak buyer info & Publish/Hide foreign comments to Judge.me - 34 upvotes, $0
- [api.pandao.ru] IDOR позволяет изменять адрес любого пользователя to Mail.ru - 33 upvotes, $1000
- IDOR смена email пользователя через Ситимобил Бизнес to Mail.ru - 33 upvotes, $0
- Sensei LMS IDOR to send message to Automattic - 33 upvotes, $0
- IDOR - disclosure of private videos - /api_android_v3/getUserVideos to Pornhub - 32 upvotes, $1500
- IDOR in editing courses to Radancy - 30 upvotes, $0
- No error thrown when IDOR attempted while editing address to OpenMage - 30 upvotes, $0
- IDOR in family pairing API to TikTok - 30 upvotes, $0
- IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid to Zomato - 29 upvotes, $250
- [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint to Zomato - 29 upvotes, $0
- <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> to Rockstar Games - 28 upvotes, $0
- Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card to Starbucks - 28 upvotes, $0
- Idor on the DELETE /comments/ to RGhost - 28 upvotes, $0
- I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure) to Yelp - 28 upvotes, $0
- IDOR when editing email leads to Account Takeover on Atavist to Automattic - 28 upvotes, $0
- [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint to New Relic - 27 upvotes, $2500
- Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees to Uber - 27 upvotes, $0
- IDOR in TalentMAP API can be abused to enumerate personal information of all the users to U.S. Department of State - 27 upvotes, $0
- Ability to read any emails through IDOR on Nextcloud Mail to Nextcloud - 27 upvotes, $0
- IDOR - Downloading all attachements if having access to a shared link to Open-Xchange - 26 upvotes, $888
- IDOR on www.acronis.com API lead to steal private business user information to Acronis - 26 upvotes, $100
- IDOR on TikTok Seller to TikTok - 25 upvotes, $500
- IDOR Payments Status to Omise - 25 upvotes, $100
- IDOR in changing shared file name to Trint Ltd - 25 upvotes, $0
- IDOR in Bugs overview enables attacker to determine the date range a hackathon was active to HackerOne - 25 upvotes, $0
- IDOR to view User Order Information to BOHEMIA INTERACTIVE a.s. - 24 upvotes, $0
- IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter to Topcoder - 24 upvotes, $0
- Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number to Starbucks - 24 upvotes, $0
- IDOR - Other user's delivery address disclosed to Azbuka Vkusa - 24 upvotes, $0
- IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 24 upvotes, $0
- IDOR in "external status check" API leaks data about any status check on the instance to GitLab - 23 upvotes, $610
- █████████ IDOR leads to disclosure of PHI/PII to U.S. Dept Of Defense - 23 upvotes, $0
- IDOR [mtnmobad.mtnbusiness.com.ng] to MTN Group - 23 upvotes, $0
- IDOR Causing Deletion of any account to Ubiquiti Inc. - 22 upvotes, $0
- IDOR widget.support.my.com to Mail.ru - 22 upvotes, $0
- IDOR in eform.molpay.com leads to see other users application forms with private data to Razer - 21 upvotes, $500
- IDOR to Account Takeover on https://████/index.html to U.S. Dept Of Defense - 21 upvotes, $0
- IDOR - Accessing other user's attachements via PUT /appsuite/api/files?action=saveAs to Open-Xchange - 20 upvotes, $888
- IDOR - Deleting other user's signature via /appsuite/api/snippet?action=update (although an error is thrown) to Open-Xchange - 20 upvotes, $300
- IDOR bug to See hidden slowvote of any user even when you dont have access right to Phabricator - 20 upvotes, $300
- IDOR in tracking driver logs at city-mobil.ru to Mail.ru - 20 upvotes, $150
- Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine to Cuvva - 20 upvotes, $0
- IDOR on Program Visibilty (Revealed / Concealed) against other team members to HackerOne - 20 upvotes, $0
- IDOR ' can change any account email and cannot retrieve his account and access it ' at https://www.miroyalcanin.cl/ to Mars - 20 upvotes, $0
- IDOR to update folder name of other user to Trint Ltd - 19 upvotes, $0
- Metadata leakage via IDOR to Polymail, Inc. - 19 upvotes, $0
- IDOR редактирование любого вишлиста to QIWI - 19 upvotes, $0
- IDOR while uploading ████ attachments at [█████████] to U.S. Dept Of Defense - 19 upvotes, $0
- IDOR ' can add animal to other account ' at https://www.miroyalcanin.cl/ to Mars - 19 upvotes, $0
- IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email to Nextcloud - 18 upvotes, $0
- IDOR - Ability to view unlisted products to Reverb.com - 18 upvotes, $0
- IDOR in activateFuelCard id allows bulk lookup of driver uuids to Uber - 18 upvotes, $0
- IDOR Vulnerability in Job Preferences to Glassdoor - 18 upvotes, $0
- GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson to Stripe - 18 upvotes, $0
- IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop to Shopify - 17 upvotes, $500
- [app.mavenlink.com] IDOR to view sensitive information to Mavenlink - 17 upvotes, $0
- IDOR Leads To Account Takeover Without User Interaction to MTN Group - 17 upvotes, $0
- IDOR in report download functionality on ads.tiktok.com to TikTok - 16 upvotes, $500
- IDOR of contracts on dictor.mail.ru to Mail.ru - 16 upvotes, $150
- IDOR - Access to private video thumbnails even if video requires password authentication to Pornhub - 16 upvotes, $0
- [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato to Zomato - 16 upvotes, $0
- Singapore - IDOR in campaign.starbucks.com.sg to Starbucks - 16 upvotes, $0
- relap.io IDOR to Mail.ru - 16 upvotes, $0
- IDOR on partners.uber.com allows for a driver to override administrator documents to Uber - 15 upvotes, $500
- IDOR - Folder names disclosure inside a domain, regardless of user to Open-Xchange - 15 upvotes, $250
- [www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users to Zomato - 15 upvotes, $100
- IDOR in merchant.rbmonkey.com allows deleting eShops of another user to RBKmoney - 15 upvotes, $0
- 'cnvID' parameter vulnerable to Insecure Direct Object References to Concrete CMS - 15 upvotes, $0
- idor leads to leak order information to Mail.ru - 15 upvotes, $0
- IDOR at 'media_code' when addings media to questions to Automattic - 15 upvotes, $0
- IDOR on notes to HTML injection to Palo Alto Software - 15 upvotes, $0
- IDOR to U.S. Dept Of Defense - 15 upvotes, $0
- [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users to New Relic - 14 upvotes, $1500
- IDOR - Leaking other user's folder names from /appsuite/api/import?action=ICA to Open-Xchange - 14 upvotes, $300
- IDOR allow to extract all registered email to Open-Xchange - 14 upvotes, $300
- IDOR on mcs.mail.ru to Mail.ru - 14 upvotes, $150
- IDOR on DoD Website exposes FTP users and passes linked to all accounts! to U.S. Dept Of Defense - 14 upvotes, $0
- IDOR in https://moneybird.com/user/accountant_company/edit(change company name) to Moneybird - 14 upvotes, $0
- IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in
order_id
parameter to Reddit - 13 upvotes, $500 - IDOR - setAttribute action of user object in API to Open-Xchange - 13 upvotes, $400
- IDOR - Deleting other user's reminders just by id to Open-Xchange - 13 upvotes, $300
- Vimeo.com Insecure Direct Object References Reset Password to Vimeo - 13 upvotes, $0
- [www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at clients/promoDataHandler.php to Zomato - 13 upvotes, $0
- Comment restriction in subsection "Workshop" of domain "steamcommunity.com" can be bypassed using IDOR to Valve - 13 upvotes, $0
- IDOR to edit test/poll/quiz on relap.io to Mail.ru - 13 upvotes, $0
- [Razer Pay Mobile App] IDOR within /v1_IM/friends/queryDrawRedLog allowed unauthorised access to read logs to Razer - 12 upvotes, $500
- IDOR to view other user folder name to Open-Xchange - 12 upvotes, $250
- IDOR exposes receipts of all users. to RecargaPay - 12 upvotes, $0
- IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user to U.S. General Services Administration - 12 upvotes, $0
- IDOR expire other user sessions to Shopify - 11 upvotes, $1000
- IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to Twitter - 11 upvotes, $0
- View & add to cart unlisted items via IDOR to Instacart - 11 upvotes, $0
- IDOR + Account Takeover [UNAUTHENTICATED] to U.S. Dept Of Defense - 11 upvotes, $0
- Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure to MTN Group - 11 upvotes, $0
- IDOR ' can delete any animal from other account ' at https://www.miroyalcanin.cl/ to Mars - 11 upvotes, $0
- IDOR in tender.mail.ru leading to Information Disclosure to Mail.ru - 10 upvotes, $0
- India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance to Starbucks - 10 upvotes, $0
- IDOR at https://fast.trychameleon.com/observe/v2/profiles/ via uid parameter discloses users' PII data to Topcoder - 10 upvotes, $0
- IDOR on stocky application-Low Stock-Varient-Settings-Columns to Shopify - 9 upvotes, $750
- [https://city-mobil.ru/taxiserv] IDOR leads to information disclosure to Mail.ru - 9 upvotes, $0
- IDOR on update user preferences to Palo Alto Software - 9 upvotes, $0
- IDOR zakazaka (состояние заказа и перезаказ) to Mail.ru - 9 upvotes, $0
- IDOR leads to Leakage an ██████████ Login Information to U.S. Dept Of Defense - 9 upvotes, $0
- IDOR Allows Viewer to Delete Bin's Files to Lark Technologies - 9 upvotes, $0
- [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References to Mail.ru - 8 upvotes, $160
- IDOR create accounts and verify them with original account email to WakaTime - 8 upvotes, $0
- IDOR to delete test/poll/quiz on relap.io to Mail.ru - 8 upvotes, $0
- IDOR leaking PII data via VendorId parameter to U.S. Dept Of Defense - 8 upvotes, $0
- Insecure direct object reference vulnerability on a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
- Insecure Direct Object Reference (IDOR) vulnerability in a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
- IDOR on https://██████ via POST UID enables database scraping to U.S. Dept Of Defense - 7 upvotes, $0
- IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/ to U.S. Dept Of Defense - 7 upvotes, $0
- IDOR allows accounts to view full name of other accounts based on email through share notes feature to New Relic - 6 upvotes, $750
- [c-api.city-mobil.ru] IDOR chat messages between driver and customer to Mail.ru - 6 upvotes, $150
- IDOR in treat subscriptions to Zomato - 6 upvotes, $100
- IDOR - Disable sharing to Nextcloud - 6 upvotes, $0
- [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover to Mail.ru - 6 upvotes, $0
- Full Account Take-Over of ████████ Members via IDOR to U.S. Dept Of Defense - 6 upvotes, $0
- View another user information with IDOR vulnerability to U.S. Dept Of Defense - 6 upvotes, $0
- IDOR at https://demo.sftool.gov/TwsHome/ScorecardManage/ via scorecard name to U.S. General Services Administration - 6 upvotes, $0
- Generating Unlimited Free Travel Gift Invites | IDOR to Airbnb - 5 upvotes, $0
- Insecure Direct Object Reference - access to other user/group DM's to Twitter - 5 upvotes, $0
- Insecure Direct Object Reference on badoo.com to Bumble - 5 upvotes, $0
- [auto.mail.ru] IDOR на редактирование поста любого юзера. to Mail.ru - 5 upvotes, $0
- Idor for firstpromoter service to Dropcontact - 5 upvotes, $0
- Insecure Direct Object Reference vulnerability to HackerOne - 4 upvotes, $500
- IDOR on https://www.eobot.com/paypal to Eobot - 4 upvotes, $0
- Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely to Veris - 4 upvotes, $0
- IDOR spam anyone's cellphone number through Cuvva app link to Cuvva - 4 upvotes, $0
- idor on upload profile functionality to U.S. Dept Of Defense - 4 upvotes, $0
- IDOR: Adding Contacts to Other User Groups to 8x8 - 4 upvotes, $0
- information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint to Mail.ru - 4 upvotes, $0
- IDOR on ███████ [HtUS] to U.S. Dept Of Defense - 4 upvotes, $0
- IDOR on remoing Share to Enter - 3 upvotes, $250
- Insecure direct object reference - have access to deleted DM's to Twitter - 3 upvotes, $0
- Critical IDOR - Get venue data of any organization remotely to Veris - 3 upvotes, $0
- Critical IDOR - Can select any Parent while creating new Venue to Veris - 3 upvotes, $0
- Critical IDOR - Make Rule for Any Group & Any Venue remotely to Veris - 3 upvotes, $0
- Critical IDOR - Get Rules of any organization remotely to Veris - 3 upvotes, $0
- Critical IDOR - Get anyone's Terminal Data remotely to Veris - 3 upvotes, $0
- Critical IDOR - Set anyone's Terminal Data remotely to Veris - 3 upvotes, $0
- Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper to Veris - 3 upvotes, $0
- Critical IDOR - Delete any terminal/gatekeeper of any organization remotely to Veris - 3 upvotes, $0
- Critical IDOR - Delete any rule of any organization remotely to Veris - 3 upvotes, $0
- Critical IDOR - Delete any venue of any organization remotely to Veris - 3 upvotes, $0
- Critical IDOR - Delete any group of any organization remotely to Veris - 3 upvotes, $0
- Insecure Direct Object Reference on API without API key to Semrush - 3 upvotes, $0
- Insecure Direct Object Reference on in-scope .mil website to U.S. Dept Of Defense - 3 upvotes, $0
- IDOR - User is able to download charts/dashboards from cross accounts to New Relic - 3 upvotes, $0
- Members Personal Information Leak Due to IDOR to U.S. Dept Of Defense - 3 upvotes, $0
- IDOR able to buy a plan with lesser fee to Automattic - 3 upvotes, $0
- CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to
Videos
of Channel whose privacy is set toPrivate
. to Vimeo - 2 upvotes, $0 - Insecure Direct Object References in https://vimeo.com/forums to Vimeo - 2 upvotes, $0
- Insecure Direct Object References that allows to read any comment (even if it should be private) to Vimeo - 2 upvotes, $0
- IDOR позволяет изменить информацию о пользователе. to Mail.ru - 2 upvotes, $0
- IDOR - Delete Users Saved Projects to U.S. Dept Of Defense - 2 upvotes, $0
- Authorization bypass -> IDOR -> PII Leakage to U.S. Dept Of Defense - 2 upvotes, $0
- IDOR in locid parameter allowing to view others accounts Profile Locations to Yelp - 1 upvotes, $0
- IDOR Lead To VIEW & DELETE & Create api_key [HtUS] to U.S. Dept Of Defense - 1 upvotes, $0