Featured
🕵️♂️ Unauthorized Eyes on Private Chats: An IDOR Vulnerability in /v1/chats/:chat_id/view
By @ctrl_cipher
🧠 Overview
During a recent security assessment, I discovered an Insecure Direct Object Reference (IDOR) vulnerability in a web application’s chat functionality. The endpoint /v1/chats/:chat_id/view
failed to properly validate the requesting user’s permissions — allowing anyone to view private chat messages of other users by simply manipulating the chat_id
in the URL.
Get Ctrl cipher’s stories in your inbox
Join Medium for free to get updates from this writer.
This vulnerability could have led to a massive privacy breach, potentially exposing sensitive user communications.
🧬 Understanding IDOR
IDOR is a type of access control vulnerability where an application exposes internal object references (like user IDs, document IDs, or chat IDs) without enforcing proper authorization checks. If an attacker can change the reference to something they shouldn’t access and the system doesn’t block them — that’s an IDOR.
🔎 Discovery
While exploring the application’s chat feature, I noticed the following endpoint being triggered when opening a conversation:
PUT /v1/chats/12345/view
The response returned structured JSON containing:
- Message history
- Sender and receiver info
- Timestamps
- Read status
I suspected the server might not be checking if I was actually part of the chat. To test this, I changed the chat_id
to a random UID of a chat I wasn’t involved in:
PUT /v1/chats/12346/view
Boom! I received another user’s full chat thread — messages, metadata, and all.
🧩 Root Cause
The endpoint failed to enforce authorization checks, it assumed that if a user was authenticated, they were entitled to access any chat_id
.
💰 Bounty Awarded
After a successful triage and verification process, I was awarded a bounty of $150.
🧾 Final Thoughts
IDORs remain one of the most common and impactful vulnerabilities in modern APIs. They’re easy to miss but devastating when exploited. I hope this write-up helps developers and bug bounty hunters alike stay vigilant and secure their endpoints properly.
If you’re a researcher, always test access control and if you’re a developer: “Don’t trust user input — especially when it refers to internal objects.”