Insecure Direct Object Reference (IDOR) (CWE-639)CVSS 7.5 PRO

Scaling IDOR: Automated PII Exfiltration via Notification Configuration Endpoints

March 16, 2026

7 views

€2,000

Vulnerability Summary

An IDOR vulnerability in a notification configuration endpoint allows an authenticated attacker to modify org_id and username_id to access sensitive user data from other organizations (email, phone, role, etc.).

🎯 The Target

This program manages organizations similar to Slack or Microsoft Teams. Within these organizations, there are multiple users. As an organization administrator, there is an option to configure the notifications that each selected user within the organization will receive. The IDOR vulnerability is found in the request made when changing this configuration, revealing very confidential information about users from all organizations, such as name, phone number, email address, etc.

Proof Of Concept

Request

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

hackerone-reports

Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure

HackerOne disclosed report --> https://hackerone.com/reports/3467641 by perxibes

Read Writeup →

pyus3r

IDOR Leading to Plaintext SFTP Credential Disclosure and Unauthorized SFTP Access

An Insecure Direct Object Reference (IDOR) vulnerability in the organization API allows authenticated users to manipulate the identifier parameter and retrieve plaintext SFTP credentials belonging to other users or organizations, potentially leading to unauthorized access to sensitive files stored on the SFTP server.