Beyond RAM and ROM: IDOR Leads to Unauthenticated File Upload Vulnerability in Indian Government Site

Insecure direct object references to file upload

Hi friends, I’m Vedavyasan S👽, a full-time bug hunter and a cybersecurity enthusiast. In this short time, I’ve secured Apple, Microsoft, Nokia, BBC, UN, IIT, and some government websites of India. 🕵️‍♂️💻

Let’s get to the story. I live in a small village in Kerala. One day, my friends teased me for not knowing the full forms of RAM and ROM (RAM is to remove hang and ROM is to increase storage🤣).

After that, I went back home, grabbed my brand new laptop, and started to learn the full forms of RAM and ROM. Suddenly, it got stuck. There I was, thinking, “Oh, my RAM gods!!!”.

I was surprised that a brand new laptop with a high-end processor started getting stuck within a month of purchase. I decided to inform their customer care about the issue, but I didn’t receive a satisfactory response. So, I reported the issue to the complaint portal.

After a few days, I called their customer care again to get an update and to upload some photos related to my issue. They asked me to choose my language, then enter the complaint number. Afterward, they sent a link to both my email and phone number (a message). And that’s where the story really begins.

The link looked like this : https://redacted.com/ud.php?gno=MTIzNDU2Nw==

So i will breakdown the link.

https://redacted.com/ is the base URL.

ud.php: is the server-side script responsible for handling the uploaded photos.

gno: is the parameter representing the complaint number which carries the complaint number encoded in Base64 format. This parameter helps ensure that uploaded photos are correctly linked to the corresponding complaint.

MTIzNDU2Nw==: is the encoded complaint number

(due to some privacy issues i can’t disclose the original complaint id here)

So I clicked the link and it redirects me to the photo uploading page

So here My curiosity level increased i reconstructed the link by removing the encoded base64 number and adding another one for example:my complaint number is 1234567 and the changed number is 1237654 and also encoded it into base64 and now the link looks like this

https://redacted.com//ud.php?gno=MTIzNzY1NA==

I opened the link. Eureka…!!!!!!

The link led me directly to another user’s file uploading page. Without wasting any time, I reported it to the respected authorities. They implemented my suggestion and added a page to enter the registered mobile number for verification. If the mobile number matches the user’s registered number, they can proceed to the upload functionality.

Thanks for reading my writeup! You can DM me on Twitter, LinkedIn, or Instagram.

“Don’t let anyone discourage you if a a few people try to mock you by telling your past or anything else. Just mind it that you are on the right path.”