Sequential letter IDOR across the archive
Foundations web engagement: love-letter app assigned sequential archive numbers; authenticated users could open other users’ letters by changing the numeric id.
- Case files
- Sequential letter IDOR across the archive
Registered account; created letter id=3; decrementing to 2 and 1 returned other users’ letters including the engagement artifact.
Letter URLs accepted foreign ids; id=1 disclosed the protected letter.
Engagement summary
Registered account; created letter id=3; decrementing to 2 and 1 returned other users’ letters including the engagement artifact.
LOVE LETTER LOCKER advertised that every letter received a unique archive number. After signup, creating a letter produced a URL with id=3. Changing the path/query to id=2 and id=1 returned other users’ content without an ownership check — classic sequential IDOR on a sentimental data store.
Business impact
Sequential object ids plus missing authz expose private correspondence at scale. Bind letter reads to the owning user_id in the query; use non-guessable ids only as secondary hardening.
Register, create, and walk ids downward
Letter URLs accepted foreign ids; id=1 disclosed the protected letter.
OPERATOR · WEB
savvy@lab:~$ # register + login; create letter → /letters/3
savvy@lab:~$ curl -s -b 'session=<cookie>' http://target/letters/2
# another user's letter body returned
savvy@lab:~$ curl -s -b 'session=<cookie>' http://target/letters/1
THM{1_c4n_r3ad_4ll_l3tters_w1th_th1s_1d0r}
Remediation
Authorize letter_id against session user. Return 404 for unauthorized ids. Add integration tests that attempt cross-user reads.