Jafar Abo Nada

Published On: 17 May 2019

$289

IDOR in twitter leads to Orders leakage Statistics

IDOR
Twitter | Web
---
LOW VALID

i found Insecure Direct Object Reference in "MoPub" twitter ads service .

Description

Twitter on its service "MoPub" statistics dedicated to the results of "Order", after the test shows that the endpoint "https://app.mopub.com/web-client/api/orders/stats/query" is infected with a "IDOR " bug Which led to the leak of private statistics "Orders" by another users

Impact

leakage statistics




Reproduction Steps

Step
1

[Create account in https://app.mopub.com/ and login

Step
2

[go to the link https://app.mopub.com/orders and create Order ]

Step
3

[using this POST Request you can disclose statistics another orders By changing the value of the parameter orderKeysin body request]

POST /web-client/api/orders/stats/query HTTP/1.1
Host: app.mopub.com

{"startTime":"2019-04-07","endTime":"2019-04-20","orderKeys":["43b29d60a9724fa9abbdc800044002d6"]}

Show Image

Timeline
.
Jafar 22 Apr 2019

The report was submitted

.
Twitter 22 Apr 2019

Needs more info. We were able to reproduce the behavior in your report, but this behavior requires a unique "orderKey" which seems like it would be difficult to b ... See More

.
Jafar 23 Apr 2019

Send more info We have two cases The first case is that the account administrator added a user with "Member" ROLE in the account, and then removed "Member" lat ... See More

.
Twitter 23 Apr 2019

Needs more info. If a Member saves this UUID, they can view the information at any time. If this information remains the same, an attacker can reproduce the same ... See More

.
Jafar 24 Apr 2019

Send more info I apologize for providing this proof because I am using a demo account that does not currently have any data. If this proof is necessary, I will ... See More

.
Twitter 24 Apr 2019

not ask you to activate an advertising campaign We will not ask you to activate an advertising campaign since it may be challenging to get live data without charging your Mopub account. We are ... See More

.
Twitter 25 Apr 2019

Triaged. Thank you for your report. We believe it may be a valid security issue and will investigate it further. It could take some time to find and updat ... See More

.
Twitter 03 May 2019

Reward paid Thanks again. As mentioned we’ll keep you updated as we investigate further. As a reminder, please remember to keep the details of this report ... See More

.
Twitter 15 May 2019

Patches were done

VALID






Show All Images