Cancelling everyone’s CultSport orders with IDOR

What if someone was able to cancel all the orders you placed? This write-up lists the details of an IDOR vulnerability within Cult Fit’s shop that allowed me to do exactly this.

Date Reported: August 15, 2023

First Response: August 16, 2023

Vulnerability Confirmed: August 16, 2023

Resolved & Bounty: August 18 & Sept 6, 2023

What went down: The Specifics

Each order on CultSport has an array of items associated with it and each item is assigned an inventoryUnit id.

So every item may have the same static ID, but every order of mine will have an inventory ID of the item being sent to me which is unique.

So If I had to cancel my order I would follow these steps:

1. Go to cultsport.com and login to my account
2. Place any order for any item
3. Go to the orders page click on the order I just placed and click on cancel
4. You are now redirected to the cancellation reason page, click on any reason and click on cancel

This is where this endpoint was being called:

https://cultsport.com/api/gear/v2/inventory-units/cancel-multiple

And the body for this request was such:

{"orderId":<order_id>,"addressId":null,"inventoryUnits":[{"id":<inventory_id>,"reason":{"code":"PLACED_BY_MISTAKE","note":"","sub_reasons":[]}}]}

Here inventory_id is a simple guessable numerical ID like 2385735 which can be incremented or decremented to get other users’ inventory IDs and it has no checks attached to it, and since every item in every order has one such a unique ID, an attacker can now directly change this ID to random values and cancel other user’s orders directly.

I was able to replicate this by using 2 different accounts, I created an Order on Account A and using B’s token deleted the order created since I already knew the inventory ID for it. Even if I didn’t since the inventory ID was a simple number it wouldn’t be a problem searching for it.

And sure enough, the order on Account A was cancelled:

The response to the request was also very reassuring:

Final Reflections

Even the most extensive systems possess imperfections that can result in unexpected and severe complications.

Utilizing Randomized Identifiers: Introducing random identifiers proves to be a potent approach across various facets of system architecture. Whether generating distinct session tokens, crafting database keys, or assigning temporary designations, random IDs introduce an element of unpredictability that bolsters the security and diminishes the likelihood of potential vulnerabilities. By relying on randomization, systems can thwart predictability and decrease the risk of malicious exploitation.

Until next time :)