IDOR While Connecting Social Account in is a community dedicated to learning hardware, from beginner to pro. Share your projects and learn from other developers.

Weakness : Insecure Direct Object Reference (IDOR) CWE-639

Severity : High

Complexity : Simple~Easy

Steps to Reproduce :

1. Create a Account on With Email .

2. Then Logout.

3. Then Try to Login into That Account With Facebook 0Auth of Same Email .

4. This Time Ask the User That “We Have Found Existing User Account Registered on Same Email , Link This Two Account’s”

5. If you Check the URL of The Page .


6. Just Change the User ID to Any other Account , And Link Our Facebook Account to Their Email .

7. And We Got Logged into Victim’s Account Remotely .


Reported to Benjamin Larralde(Co-founder of ~ May 31

Fixed ~ May 31

Hall of Fame:

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store