Showing posts from 2019

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Hi All,

Company Info :
Airbnb is an online marketplace and hospitality service, enabling people to lease or rent short-term lodging including vacation rentals, apartment rentals, homestays, hostel beds, or hotel rooms. The company does not own any lodging; it is merely a broker and receives percentage service fees (commissions) from both guests and hosts in conjunction with every booking. It has over 3,000,000 lodging listings in 65,000 cities and 191 countries,and the cost of lodging is set by the host.

Bug category :
Indirect Object Reference(IDOR)
Link :

Technical Details of the Bug : 
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is Authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows…