Modifying Sprunk vs eCola crew data

In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that was exploitable in certain Rockstar Official Crews on the Social Club website. Rockstar Official Crews, unlike user-made Crews, use a flat hierarchy where all members are set to the same effective rank. Typically this is set to a low rank default. However, users in the eCola Official and Sprunk Official Crews were mistakenly set to Commissioner-level (maximum) rank as the default pattern. The user interface in Rockstar Official Crews does not permit users to alter Crew settings, but because users had maximum rank permissions, the application would accept direct POST requests sent to the appropriate endpoints. This allowed attackers to alter certain Crew settings that were editable via POST requests, including the Crew Motto and Open Invite status. Both the eCola and Sprunk Official Crews have been updated so that users no longer have max-rank permissions, and the Crew settings were reset to their intended values.