Insecure Direct Object Reference (IDOR) (CWE-639)CVSS 2.5

Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure

hackerone-reports

March 16, 2026

14 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3467641 by perxibes

Unauthenticated access to private files and previews via Active Storage URLs (IDOR)

Description

While testing the application at fizzy.do domain asset into https://app.fizzy.do/ subdomain file uploads, I noticed that files and file previews served through Active Storage can be accessed directly via their URLs, without any authentication or authorization checks. These URLs remain accessible to other users and even to unauthenticated visitors, which allows access to private attachments outside the intended application flow.

Steps to Reproduce

Log in as User A
Upload a file to a card
View the uploaded file so the preview or download link is rendered
Copy the Active Storage URL from the browser (e.g., image preview or download link)

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

IDOR Leading to Plaintext SFTP Credential Disclosure and Unauthorized SFTP Access

An Insecure Direct Object Reference (IDOR) vulnerability in the organization API allows authenticated users to manipulate the identifier parameter and retrieve plaintext SFTP credentials belonging to other users or organizations, potentially leading to unauthorized access to sensitive files stored on the SFTP server.

Read Writeup →

pyus3r

Scaling IDOR: Automated PII Exfiltration via Notification Configuration Endpoints

An IDOR vulnerability in a notification configuration endpoint allows an authenticated attacker to modify org_id and username_id to access sensitive user data from other organizations (email, phone, role, etc.).