Summary

During testing, an Insecure Direct Object Reference (IDOR) was found in the account update endpoint. Despite JWT authentication, insufficient authorization allowed an authenticated user to modify another user's account details by changing a user-controlled identifier.

Discovery

Using my custom recon tool vpscanner, I explored the application and focused on the user dashboard where personal details could be updated. While inspecting requests i noticed the email field was user-controlled, suggesting a potential IDOR.

Validation

I created two accounts under my control. While logged in as Account A, I modified the email in the update request to reference Account B.

{ "ventureId":"b2955f9c-2a1c-4437-b267–416baf7521b3", "contact":{ "email":"victim@example.com", "nameFirst":"Hack", "nameLast":"IDOR", "phones":[{"phoneNumber":"947374451"}] }, "activities":[{"type":"DETAILS_UPDATE_REQUESTED"}], "source":"WEBSITE_BUILDER" }

The backend accepted it, updating Account B's information — confirming the IDOR. Notably, the request included a valid JWT, showing that authentication alone does not prevent authorization flaws.

Impact

• Unauthorized modification of other users' data (name, phone)
• Risk of impersonation or social engineering
• Undermines data integrity and trust

Severity: Medium

Mitigation

• Enforce object-level authorization
• Validate ownership for all sensitive operations
• Do not trust client-supplied identifiers

Key Takeaway: JWTs secure authentication, but authorization must always be explicitly enforced.