Unsubscribe any user’s e-mail notifications via IDOR

Such options are often available at the footer section of every mail.
  • The unsubscribe link looked something like this:
  • ?u = Lol it was just the timestamp encoded in base64. Not sure what’s the use of this parameter, maybe for logging the time at which this action was initiated. But manipulating this param didn’t seem to have any significant impact. But the presence of this param was necessary in the req or else status code 400 was returned.
  • ?id = The user ID. It was easy to get the user ID as there was an API call which was leaking the User ID. All I had to do was visit the target user’s profile and the API leaked the User ID. (I chained it with this vuln and reported it.)
  • The modified link looked something like this:-
  • Modify the Id parameter to the Victim UserID and forward the req. The user is unsubscribed from the website’s email notification service.
  • To increase the severity of the vuln in your report, make sure you try to find a way to get the UserID’s of other users. Or else they will either close the report or you’ll be rewarded with low bounties.
  • Also, don’t blindly report a vuln as soon as you find one. I’ve noticed this habit among many beginner hunters. Guys, trust me I have been through that phase. At the time when I started, I too have reported many low hanging vulns which I could have escalated the severity to gain more bounties.
  • Maybe give it another try to somehow find a way to escalate the severity. Who knows maybe you’ll be rewarded with a higher bounty.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |