Bug #22305: [External Audit Findings][MLEB, iOS, Android] Insecure Direct Object Reference Vulnerability (IDOR) - VELO Production Issue - S-MADP Customer Support & Information Center

Bug #22305

[External Audit Findings][MLEB, iOS, Android] Insecure Direct Object Reference Vulnerability (IDOR)

Added by yap chekying 21 days ago. Updated 11 days ago.

Status:

Pending PROD

Start date:

29 July 2025

Priority:

High

Due date:

Assignee:

yap chekying

% Done:

Category:

Spent time:

Target version:

Description

Issue:
The IDOR vulnerability occurs when an app exposes internal object references without access control. This allows attackers to access data by manipulating input values. If exploited, IDOR may lead to serious business data breaches.

Recommendation from pentester:
Developers must implement proper access control so that users can only access information or perform actions within a session that are defined by the access rights assigned to that session.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:11 AM

Android-old app to new app.mp4 (19.5 MB) yap chekying, 06 August 2025 10:57 AM

Android-Fresh install, binded 2.mp4 (6.32 MB) yap chekying, 06 August 2025 10:57 AM

Android-Fresh install, binded 1.mp4 (15.5 MB) yap chekying, 06 August 2025 10:57 AM

Android-Fresh install, not bind.mp4 (10.7 MB) yap chekying, 06 August 2025 10:57 AM

iOS-Fresh install, binded.mp4 (7.45 MB) yap chekying, 06 August 2025 10:57 AM

iOS-old app to new app.mp4 (15 MB) yap chekying, 06 August 2025 10:57 AM

iOS-Fresh install, not bind.mp4 (5.13 MB) yap chekying, 06 August 2025 10:57 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 10:58 AM

History

#1 Updated by Hao Ter Tai 18 days ago

238,070
1/8/2025 [External Audit Findings][MLEB] Insecure Direct Object Reference Vulnerability (IDOR)

Solution:
FE will store alias id and pass back to BE for BE checking

#2 Updated by Tan Hi Ann 14 days ago

Status changed from New to Resolved

RC: The IDOR vulnerability occurs when an app exposes internal object references without access control. This allows attackers to access data by manipulating input values. If exploited, IDOR may lead to serious business data breaches.

Solution: BE uses aliasId passed from FE and compare with self constructed aliasId to ensure the same device and user

#3 Updated by Tan Hi Ann 14 days ago

Assignee changed from Tan Hi Ann to yap chekying

#4 Updated by yap chekying 13 days ago

File Android-old app to new app.mp4 added
File Android-Fresh install, binded 2.mp4 added
File Android-Fresh install, binded 1.mp4 added
File Android-Fresh install, not bind.mp4 added
File iOS-old app to new app.mp4 added
File iOS-Fresh install, binded.mp4 added
File iOS-Fresh install, not bind.mp4 added
File RE OCBC Business Mobile app Audit Findings - July 2025.msg added
Status changed from Resolved to Pending UAT

#5 Updated by yap chekying 11 days ago

Subject changed from [External Audit Findings][MLEB] Insecure Direct Object Reference Vulnerability (IDOR) to [External Audit Findings][MLEB, iOS, Android] Insecure Direct Object Reference Vulnerability (IDOR)

#6 Updated by yap chekying 11 days ago

Status changed from Pending UAT to Pending PROD

Also available in: Atom PDF

OCBC NISP Velocity Mobile » VELO Production Issue

Issues

Custom queries