Unsubscribe any user’s e-mail notifications via IDOR

Hello fellow Hackers. I’m Sagar Sajeev

In this writeup, I would like to share how I was able to unsubscribe any user from the Target website’s email notification service.

This was possible because the unsubscribe feature (which is often found near the footer of the mail) was vulnerable to IDOR.

Such options are often available at the footer section of every mail.

• The unsubscribe link looked something like this:

https://target.com/unsubscribe?u=9x0xxx98xx5cxx5xx71&id=123456

• ?u = Lol it was just the timestamp encoded in base64. Not sure what’s the use of this parameter, maybe for logging the time at which this action was initiated. But manipulating this param didn’t seem to have any significant impact. But the presence of this param was necessary in the req or else status code 400 was returned.
• ?id = The user ID. It was easy to get the user ID as there was an API call which was leaking the User ID. All I had to do was visit the target user’s profile and the API leaked the User ID. (I chained it with this vuln and reported it.)

• The modified link looked something like this:-

https://target.com/unsubscribe?u=9x0xxx98xx5cxx5xx71&id=654321

• Modify the Id parameter to the Victim UserID and forward the req. The user is unsubscribed from the website’s email notification service.

Tips:-

• To increase the severity of the vuln in your report, make sure you try to find a way to get the UserID’s of other users. Or else they will either close the report or you’ll be rewarded with low bounties.
• Also, don’t blindly report a vuln as soon as you find one. I’ve noticed this habit among many beginner hunters. Guys, trust me I have been through that phase. At the time when I started, I too have reported many low hanging vulns which I could have escalated the severity to gain more bounties.
• Maybe give it another try to somehow find a way to escalate the severity. Who knows maybe you’ll be rewarded with a higher bounty.

Timeline

Submitted : 18–08–2022

Accepted : 22–08–2022

Rewarded with joy and happiness : 😄

The company was a non-profit organization that ran an Old Age home. They did offer me $200. But I felt like accepting the bounty was not the right thing to do here.

I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.

LinkedIn : https://www.linkedin.com/in/sagar-sajeev/

Twitter : https://twitter.com/Sagar__Sajeev

Thanks for going through my writeup and I hope it was useful to you. I’ve made many other writeups on my Medium handle. Please do check those out as well.

Happy Hunting!