IDOR Revealing Images CDN Links

Hi Bug Bounty community, this is my first write up for a bug I found in a private HackerOne program. Let’s call it redacted.com for this article.

So there was a subdomain for redacted.com which was something.redacted.com for people could post queries and answer then via comments.

One interesting thing that I noticed was there was a markdown editor as well. I uploaded a image and I attached it to the comment and after attaching the image in the comments what I noticed was the markdown editor was phrased like this [IMAGE]ID[IMAGE].

Upon changing the image ID and posting the comment I would directly get access to the CDN Link of other people’s images, also the images that people deleted (which weren’t actually deleted from the CDN servers) and all the private images.

This issue was quite simple to exploit but was still a fun one to find.

TIMELINE

22 JAN 2021 — Reported.
24 JAN 2021 — Bounty awarded $XXX.
24 JAN 2021 — Triaged.
25 JAN 2021 — Fixed.