I Changed One Number… and Got Access to Citizens’ ID and Address Proofs
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
A security researcher discovered a classic IDOR (Insecure Direct Object Reference) vulnerability in a state government web portal. By incrementing a numeric document ID parameter in an API request (/api/getDocument?id=10234), they could access other citizens' sensitive identity and address proof documents without any authorization checks. The server returned any document as long as the ID existed, with no verification of ownership. The vulnerability was responsibly disclosed to authorities, patched, and the researcher was recognized in the CERT-In Hall of Fame.
Table of contents
It Started With a Simple RequestThe API That Did Too MuchThe One ChangeWhat I Saw Next Was AlarmingAnd It Got WorseThe Real ProblemThe Vulnerability: IDORGet VoidSec24 ’s stories in your inboxWhy This Was SeriousResponsible DisclosureRecognitionKey TakeawayFinal ThoughtsSort: