Before starting, IDOR is Insecure Direct Object Reference, hereinafter referred to as IDOR, is a condition in which users can access an object without passing the access rights check. (OWASP, 2019)
With IDOR, a user can access, change, and delete data. This makes IDOR a very dangerous security hole. Please note, the bug discussed in this writeup has been patched by Tokopedia and screenshots will be censored because of PII.
Affected Endpoint
https://ws.tokopedia.com/reputationapp/review/api/v1/likedislike
Impact
Manipulation of number of likes in Product Reviews
Steps to Reproduce
- Log in to your Tokopedia account and open a product review page.
- Intercept the connection request, click the like a review button.
- In the intercepted connection request, there are several parameters, such as:
product_id is the product id being reviewed,
shop_id is a shop id, and
user_id is the user id who likes.
- Forward request, then get a success reply.
- To try to manipulate the number of likes is by replacing the user id with another user id, without the need for user interaction. Change user_id with another user id and delete some parameters to bypass user authentication.
- Forward request.
- The number of likes has increased.
Timeline
- 23 Feb 2019 : Reported to Tokopedia.
- 23 Feb 2019 : Tokopedia received the report.
- 25 Feb 2019 : Tokopedia declared valid with Severity Medium.
- 01 Apr 2019 : The bug has been fixed.
- 22 May 2019 : Tokopedia sent 1.9 million IDR or $135 as reward.