[Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN]- 1 min
Before starting, IDOR is Insecure Direct Object Reference, hereinafter referred to as IDOR, is a condition in which users can access an object without passing the access rights check. (OWASP, 2019)
With IDOR, a user can access, change, and delete data. This makes IDOR a very dangerous security hole. Please note, the bug discussed in this writeup has been patched by Tokopedia and screenshots will be censored because of PII.
Manipulation of number of likes in Product Reviews
Steps to Reproduce
- Log in to your Tokopedia account and open a product review page.
- Intercept the connection request, click the like a review button.
- In the intercepted connection request, there are several parameters, such as: product_id is the product id being reviewed, shop_id is a shop id, and user_id is the user id who likes.
- Forward request, then get a success reply.
- To try to manipulate the number of likes is by replacing the user id with another user id, without the need for user interaction. Change user_id with another user id and delete some parameters to bypass user authentication.
- Forward request.
- The number of likes has increased.
- 23 Feb 2019 : Reported to Tokopedia.
- 23 Feb 2019 : Tokopedia received the report.
- 25 Feb 2019 : Tokopedia declared valid with Severity Medium.
- 01 Apr 2019 : The bug has been fixed.
- 22 May 2019 : Tokopedia sent 1.9 million IDR or $135 as reward.