$1,700 IDOR: Unauthorized Modification of Web Hosting Configuration
1 min read
Summary
A hacker has shared details of an insecure direct object reference (IDOR) vulnerability they found in ExHub, a cloud hosting, project collaboration and deployment platform for Python development.
They discovered that any user could modify a project’s web hosting settings simply by knowing the project ID, as the platform failed to adequately verify if the user had permission to make changes.
This issue meant that unauthorised users could alter configurations, leading to malicious access, service disruptions, or privilege escalation attempts; it also violated the principle of least privilege, as readers with minimal permissions could perform administrative actions.
The vulnerability was reported to ExHub in August 2024, and the bug hunter was awarded a $1,700 bounty, including a bonus for providing a detailed report and retesting the fix.
The key lesson is the importance of proper authentication and authorisation checks on all sensitive API endpoints to prevent such vulnerabilities.