How was I able to lock any user’s account?

Hello, everyone! This is Syd from the Philippines, a part-time bug hunter. Today, I want to share one of my findings on HackerOne. It’s from a Vulnerability Disclosure Program (VDP), so there was no bounty, but it was an easy find. Let’s dive in!

Vulnerability Type :

IDOR (Insecure Direct Object References)

Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

Similar to other websites, this target also has a reset password flow. During my initial testing of this functionality, I noticed something intriguing. The reset password process allows users to request a temporary password, which is sent to their primary email address. This made me wonder — what if I change the username to the target’s username and send an invalid request? Would this cause the victim to get locked out?

And yes, it worked. When I checked the victim’s account, it was locked out. I realized I could repeat this process continuously, causing the victim to lose access to their account entirely.