Unsubscribe any user’s e-mail notifications via IDOR

Hello fellow Hackers. I’m Sagar Sajeev

In this writeup, I would like to share how I was able to unsubscribe any user from the Target website’s email notification service.

This was possible because the unsubscribe feature (which is often found near the footer of the mail) was vulnerable to IDOR.

Such options are often available at the footer section of every mail.

https://target.com/unsubscribe?u=9x0xxx98xx5cxx5xx71&id=123456

  • ?id = The user ID. It was easy to get the user ID as there was an API call which was leaking the User ID. All I had to do was visit the target user’s profile and the API leaked the User ID. (I chained it with this vuln and reported it.)

https://target.com/unsubscribe?u=9x0xxx98xx5cxx5xx71&id=654321

Tips:-

  • Also, don’t blindly report a vuln as soon as you find one. I’ve noticed this habit among many beginner hunters. Guys, trust me I have been through that phase. At the time when I started, I too have reported many low hanging vulns which I could have escalated the severity to gain more bounties.
  • Maybe give it another try to somehow find a way to escalate the severity. Who knows maybe you’ll be rewarded with a higher bounty.

Timeline

Submitted : 18–08–2022

Accepted : 22–08–2022

Rewarded with joy and happiness : 😄

The company was a non-profit organization that ran an Old Age home. They did offer me $200. But I felt like accepting the bounty was not the right thing to do here.

I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.

LinkedIn : https://www.linkedin.com/in/sagar-sajeev/

Twitter : https://twitter.com/Sagar__Sajeev

Thanks for going through my writeup and I hope it was useful to you. I’ve made many other writeups on my Medium handle. Please do check those out as well.

Happy Hunting!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store