Hey Guys Its Me Khizer again So This Blog is about an IDOR issue i found in a Web where changing the User ID in Facebook auth callback linking request actually connects my Facebook Account to the Victims Site Account so By this i could get complete access to User Account.

So Let’s start what happened was i was testing a web app when i get a chance to test it’s I realised that the website was identifying a user from a unique User ID that was _user_id: and The value for this ID was something like this  aff20-33f3-4c8e-b3cb-77b2 So I created Multiple Accounts on that website and start checking in which request this _user_id is getting passed and after some time i found out that In Facebook auth Callback Linking Request this _user_id: is used In a Similar Way


The Request was Like

GET /login/auth/facebook/callback?linking=true&redirect_uri=https://target.com/account&_user_id=<User-ID> HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: <Cookies>
Connection: close
Upgrade-Insecure-Requests: 1

Now at This Point I tried Changing My _user_id with _user_id of another test account and the response for that request was 200 OK

Before I Passed this request the Linked Account Section in My Victims Account was like 

So I did login to that web app using my Facebook account and i get access to my 2nd test account using No Password at all And the Linked Accounts Section in my Victims Account Was Changed to

And I was Like Damn! What Just happened 

But Now there was Another issue and it was about the _user_id these 2 questions keep popping up in my head

  1. How an Attacker is going to Get User ID 
  2.  It was Unique for each user 

And The Analyst on the Submission was also not convinced about the PRIORITY of the issue as high because of this little issue Because the chances of Attacker getting the victims _user_id were to low So the Next Phase started and i tested many public endpoints to check if any contains the user id but couldn’t find any but then i see if we open an image shared by the user(victim) and open the actual URL of the image it was hosted on an S3 Bucket and the image always had the user id in the URL i.e


After getting this the issue was triaged and was Rewarded 

So this was a Short POC about an IDOR to User Account takeover 🙂