7,500$ – IDOR on Apple [consultants.apple.com]

In the name of Allah, the Most Gracious, the Most Merciful.

I’m lazy to write this actually, because this issue is like another IDOR. Nothing special, you just need to change the ID, and you will get an IDOR as simple as that. However, I need to write this because sometimes I question myself, that do I am worth it as Security Enthusiast? Hopefully, this post will keep me motivated me to keep it up! Let’s get started it!

Start Hunting

I chose Apple on my Bug Bounty Journey at that time, because I was inspired by my friends who got a nice bounty from Apple. However, at that time I don’t have any fancy recon tools like Rengine. So, my simple recon is just dorking with keywords like this: “site:*.apple.com”

Long story short, I got the target and it’s from consultants.apple.com. Just like a normal bug bounty hunter, I started to poke around, register and log in and do the basic thing with the feels. I’ve found some endpoint that include some numeric ID. So, I think “Hmmmmmmmmmm, lets try some IDOR on this thing

IDOR is (Usually) Simple

Quickly I create a new account for the second test account to check the IDOR, can’t believe that the endpoint is actually a vuln of IDOR, after that I check on another endpoint and it’s also vuln of IDOR!

Vuln URL : 
Step To Reproduce : 
  1. Go to https://consultants.apple.com/publicLocator/applicationAcnForm?lang=us
  2. Use 2 Accounts ( A and B ) , Save the ID of account B
  3. Change data Account A / Delete the Data
  4. Change The ID to account B
  5. Will receive if data is saved
  6. Reload Account B
  7. Data Account B is changed.

Simple Reporting

Not good enough to write an awesome report like other’s bug bounty hunters. I quickly report with simple words and describe where the vuln come from and attached the video to reproduce the issue. Simple, right?

Wait is Pain

  • Dec 17, 2020 – Report
  • Dec 17, 2020 – First Respond
  • Mar 4, 2021 – “Any Update?”
  • Mar 4, 2021 – “Your report is duplicate!” -Apple
  • Mar 4, 2021 – “Are you sure?”
  • Mar 4, 2021 – “Sorry, no! My mistake” -Apple
  • Mar 4, 2021 – “You got me a heart attack for a second.”
  • Mar 11, 2021 – “7,500$ Bounty is coming!” – Apple

Acknowledge Link:

  • https://support.apple.com/en-ug/HT212711
  • https://support.apple.com/en-ug/HT201536