📢 Ravenna Hub corrige une faille IDOR ayant exposé des données personnelles d’élèves
📝 Selon TechCrunch, une vulnérabilité de type **IDOR (Insecure Direct Object Reference)** a affecté le site...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-22-ravenna-hub-corrige-une-faille-idor-ayant-expose-des-donnees-personnelles-deleves/
🌐 source : https://techcrunch.com/2026/02/19/bug-in-student-admissions-website-exposed-childrens-personal-information/
#EdTech #IDOR #Cyberveille

Ravenna Hub IDOR flaw exposed 1.6M+ student records.

Authenticated users could access unauthorized profiles via URL manipulation.

Sensitive child & parent PII impacted.

Read:
https://www.technadu.com/student-admissions-website-ravenna-hub-data-breach-exposes-child-information/620558/

How should EdTech strengthen auth controls?

#InfoSec #AppSec #IDOR #DataBreach

WebSocket Penetration Testing: How to Test for WebSocket Hijacking, IDOR, Injection & More
This article discusses using the WSStrike extension in Burp Suite for comprehensive WebSocket penetration testing. The vulnerability class includes WebSocket hijacking, IDOR (Insecure Direct Object References), and injection attacks. The root cause lies in weak implementation of WebSocket security measures, such as lacking proper authentication or validation checks. Researchers exploited this by intercepting WebSocket traffic using WSStrike, injecting malicious payloads to manipulate application behavior. For instance, an IDOR issue was exposed when the researcher manipulated a user's session token to access another user's data. The technical details revolve around analyzing and interacting with WebSocket communication protocols and their security flaws. The impact of these vulnerabilities can range from unauthorized access to sensitive data, account takeover, or even complete system compromise. WSStrike helped reveal a bounty of $10,000 for finding multiple critical issues in a platform. To prevent such attacks, enforce strong authentication and authorization mechanisms, validate input data, and regularly audit WebSocket implementation. Key lesson: Always prioritize security when implementing WebSocket communication. #BugBounty #WebSecurity #WebSocket #IDOR #Injection

https://medium.com/@exploitersorigin/ws-strike-a-burp-suite-extension-for-websocket-penetration-testing-b2fe9676da07?source=rss------bug_bounty-5

The Logic Flaw That Leads to Total Control: Mastering Account Takeovers in 2026
This vulnerability falls under the Authentication Bypass class, specifically Logical Account Takeover. ZACK0X01's tutorial reveals that attackers can bypass multi-factor authentication (MFA) by exploiting subtle disconnects in authentication flows. The researcher manipulates responses and leverages Insecure Direct Object References (IDOR) to gain control of any user account. By observing patterns in error messages, the researcher found opportunities to intercept MFA codes or bypass MFA checks entirely. The critical severity (CVSS ~9.8) demonstrates the devastating impact: complete account takeover and unauthorized access to sensitive data. The tutorial offers actionable insights for finding this high-impact vulnerability class in web applications. Key lesson: Look beyond syntax errors, focus on business logic flaws to master account takeovers. #BugBounty #WebSecurity #AuthenticationBypass #IDOR #AccountTakeover

https://infosecwriteups.com/the-logic-flaw-that-leads-to-total-control-mastering-account-takeovers-in-2026-aecef6d30bd9?source=rss------bug_bounty-5

Oddawałeś krew? Twoje zaświadczenie w IKP miało przewidywalny identyfikator https://sekurak.pl/oddawales-krew-twoje-zaswiadczenie-w-ikp-mialo-przewidywalny-identyfikator/ #Aktualnoci #Teksty #IDOR #Ikp #Konto #Pacjent #Websec

Oddawałeś krew? Twoje zaświadczenie w IKP miało przewidywalny identyfikator

Jedną z podstawowych podatności aplikacji webowych jest IDOR (Insecure Direct Object Reference). Do jej wystąpienia dochodzi, gdy aplikacja udostępnia bezpośrednie odwołania do obiektów (np. zasobów) na podstawie identyfikatora przekazywanego przez użytkownika, nie weryfikując poprawnie uprawnień dostępu. W praktyce oznacza to, że aby uzyskać dostęp do zasobu, może wystarczyć znajomość (lub...

#Aktualności #Teksty #IDOR #Ikp #Konto #Pacjent #Websec

https://sekurak.pl/oddawales-krew-twoje-zaswiadczenie-w-ikp-mialo-przewidywalny-identyfikator/

Privilege Escalation Is Everything: 12 Real-World Chains That Lead to Full Account Takeover
This article discusses a collection of 12 privilege escalation chains that culminated in full account takeovers. The researcher identified and combined multiple vulnerabilities, including authentication bypass, authorization flaws, and information disclosure issues to gain elevated access. By exploiting these chained vulnerabilities, they obtained administrative privileges or compromised high-value accounts. For instance, one case involved an account with read-only permissions on a vulnerable forum platform. Leveraging IDOR (Insecure Direct Object References), the researcher manipulated post IDs to access other users' posts and gain write access. This allowed them to modify the password of a privileged user, escalating their own permissions. The impact was significant, as full account takeover often led to data breaches or unauthorized actions. No bounty amounts were disclosed in this article. To prevent such chains, validate inputs on multiple layers and implement least privilege principles for accounts and permissions. Key lesson: Vulnerabilities don't need to be critical; combining multiple issues can lead to serious consequences. #BugBounty #PrivilegeEscalation #Cybersecurity #WebSecurity #IDOR

https://cybersecuritywriteups.com/privilege-escalation-is-everything-12-real-world-chains-that-lead-to-full-account-takeover-1edea063a055?source=rss------bug_bounty-5

🚨 Alleged breach targets Spain’s Ministry of Science
Threat actor claims IDOR flaw exposed passports, DNI/NIE records & financial data.

https://www.technadu.com/alleged-data-breach-targets-spains-ministry-of-science-innovation-and-universities/619485/

#InfoSec #DataBreach #IDOR #GovernmentSecurity #Spain

IDOR Lets Attackers Choose Your Payment Method
This article describes an IDOR (Insecure Direct Object Reference) vulnerability in a booking platform's payment flow. By modifying the booking_id parameter from one request to another, the researcher was able to force a different user's booking to use unavailable payment methods, such as Swish. This bypassed the core business logic that should have restricted specific services and stores to their appropriate payment options. To mitigate this issue, ensure thorough validation of all object references (booking_id, user_id, etc.) in requests and test state transitions and cross-context requests during security testing. Key lesson: Treat every object reference as a potential vulnerability #BugBounty #IDOR #WebSecurity #PaymentFlow

https://medium.com/legionhunters/idor-lets-attackers-choose-your-payment-method-abe87784e726?source=rss------bug_bounty-5

Jak można było usunąć czyjeś konto Firefox – podatność IDOR w API Mozilli

W interfejsie API Mozilli wykryto podatność Insecure Direct Object Reference (IDOR), która umożliwiała uwierzytelnionemu atakującemu korzystającemu z OAuth (np. logowania przez konto Google) usunięcie konta innego zarejestrowanego przez OAuth użytkownika, znając jedynie jego adres e-mail. Serwer nie weryfikował, czy sesja wysyłająca żądanie usunięcia należy do konta, które ma zostać usunięte.TLDR:...

#Aktualności #IDOR #Podatność #Websec

https://sekurak.pl/jak-mozna-bylo-usunac-czyjes-konto-firefox-podatnosc-idor-w-api-mozilli/

Jak można było usunąć czyjeś konto Firefox – podatność IDOR w API Mozilli https://sekurak.pl/jak-mozna-bylo-usunac-czyjes-konto-firefox-podatnosc-idor-w-api-mozilli/ #Aktualnoci #IDOR #Podatno #Websec

🔐 Bài viết ngắn về Secure Coding: hướng dẫn thực hành khắc phục lỗ hổng IDOR, tải file không an toàn và SQL Injection qua ví dụ lab. Rất hữu ích cho lập trình viên muốn nâng cao bảo mật mã nguồn. #SecureCoding #BảoMật #IDOR #SQLInjection #FileUpload #LậpTrình

https://www.reddit.com/r/programming/comments/1q8m817/a_very_short_introduction_to_secure_coding_with/

🔓 Found critical vulns in Taimi (LGBTQ+ dating app) - all fixed, $10k bounty

What I found:

• "Expiring" videos didn't expire, URLs stayed valid forever
• Decrement attachment ID = anyone's private videos
• Location feature bypassed photo permission checks (why upload a map preview image through the photo system??)
• Fake system messages (made a Raid Shadow Legends sponsorship lol)

The good news: Taimi actually handled this right. Fast response, $10k bounty, everything fixed quickly. No lawyers, no threats.

This is how disclosure should work. Take notes, Lovense.

Full writeup: https://bobdahacker.com/blog/taimi-idor

#InfoSec #BugBounty #ResponsibleDisclosure #IDOR #Taimi #DatingApp #Security #Privacy #CyberSecurity #LGBTQ

I just completed Corridor room on TryHackMe. Can you escape the Corridor? #IDOR

https://tryhackme.com/room/corridor?utm_campaign=social_share&utm_medium=social&utm_content=room&utm_source=twitter&sharerId=60cb2598c59a6e0042c78aed #tryhackme via @RealTryHackMe

HTB Season Gacha | MonitorsFour — Полный путь от IDOR до Docker Desktop escape (WSL2) и root

Продолжая серию разборов в рамках сезонного ивента Season of the Gacha на HackTheBox, хочу поделиться прохождением MonitorsFour. Машина оказалась не самой сложной, но с неочевидным подвохом: Windows-хост с Docker Desktop, что добавило головной боли на этапе повышения привилегий. Признаюсь, меня поначалу сбило с толку, почему Nmap показывает Windows, а shell получается Linux, но об этом чуть позже. В машине реализованы IDOR, актуальные CVE и побег из Docker-контейнера, и на мой взгляд, отличный набор для отработки навыков. Давайте разбираться!

https://habr.com/ru/articles/978238/

#пентест #хакерство #hackthebox #ctf #pentesting #кибербезопасность #информационная_безопасность #idor #docker #cve

I just completed IDOR - Santa’s Little IDOR room on TryHackMe. Learn about #IDOR while helping pentest the TrypresentMe website. https://tryhackme.com/room/idor-aoc2025-zl6MywQid9?utm_campaign=social_share&utm_medium=social&utm_content=room&utm_source=twitter&sharerId=60cb2598c59a6e0042c78aed #tryhackme via @RealTryHackMe

Wielkopolskie Centrum Medycyny Pracy – zmieniając w przeglądarce numer ID, można było zobaczyć wyniki badań innych pacjentów.

Marcin zgłosił nam prostą do wykorzystania lukę / podatność. Otóż wykonywał badania w Wielkopolskim Centrum Medycyny Pracy i w jednym z systemów zaciekawił go numer, który był widoczny w źródle HTML, a był związany z wykonywaniem badania. Zmienił ten numer o jeden i… otrzymał dostęp do wyników badań innego pacjenta....

#Aktualności #IDOR #Medycyna #Websec #Wyciek

https://sekurak.pl/wielkopolskie-centrum-medycyny-pracy-zmieniajac-w-przegladarce-numer-id-mozna-bylo-zobaczyc-wyniki-badan-innych-pacjentow/

🚨 CVE-2025-13526 (HIGH): OneClick Chat to Order for WordPress (<=1.0.8) is vulnerable to IDOR. Attackers can fetch PII & payment info by changing order IDs in URLs. Disable plugin or enforce strict access controls now! https://radar.offseq.com/threat/cve-2025-13526-cwe-200-exposure-of-sensitive-infor-c69efaff #OffSeq #WordPress #IDOR #Infosec

🔴 CVE-2025-65021 (CRITICAL, CVSS 9.1) in lukevella Rallly <4.5.4: Auth’d users can finalize others' polls via IDOR, risking data integrity. Patch to v4.5.4 ASAP! Monitor & audit poll actions. https://radar.offseq.com/threat/cve-2025-65021-cwe-285-improper-authorization-in-l-d9b86aa6 #OffSeq #Rallly #Vuln #IDOR

it desperately needs to be blocked but I am back with a new #crochet #Cardgame #Coaster! This time, I made an #Intersex #Diamond! ♦️ It was not planned but it's very fitting for todays #IntersexDayOfRemembrance! #IDOR #handmade