Insecure Direct Object Reference (IDOR) (CWE-639)CVSS 2.5Easy

Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure

hackerone-reports

March 16, 2026

51 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3467641 by perxibes

Unauthenticated access to private files and previews via Active Storage URLs (IDOR)

Description

While testing the application at fizzy.do domain asset into https://app.fizzy.do/ subdomain file uploads, I noticed that files and file previews served through Active Storage can be accessed directly via their URLs, without any authentication or authorization checks. These URLs remain accessible to other users and even to unauthenticated visitors, which allows access to private attachments outside the intended application flow.

Steps to Reproduce

Log in as User A
Upload a file to a card
View the uploaded file so the preview or download link is rendered
Copy the Active Storage URL from the browser (e.g., image preview or download link)

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

heroxo9868

IDOR leads Unauthorized Staff Member Removal via Insufficient Authorization Checks

Missing authorization checks allow unauthorized users to remove staff members from accounts they do not own, leading to potential disruption and abuse.

Read Writeup →

misesop375

2 IDOR’s & WAF Bypass to Expose Full Event Database

During a recent engagement on a food industry B2B platform, I discovered a vulnerability chain that allowed me to dump the entire database of users registered for a corporate event. By chaining a sequential ID enumeration vulnerability with a secondary IDOR on the “Edit Profile” endpoint - and optimizing the attack by identifying a weakness in the ID generation logic - I was able to access the Personally Identifiable Information (PII) of all event attendees.

Read Writeup →

pyus3r

IDOR Leading to Plaintext SFTP Credential Disclosure and Unauthorized SFTP Access

An Insecure Direct Object Reference (IDOR) vulnerability in the organization API allows authenticated users to manipulate the identifier parameter and retrieve plaintext SFTP credentials belonging to other users or organizations, potentially leading to unauthorized access to sensitive files stored on the SFTP server.

LogicalBreach Academy