Bug #22305

[External Audit Findings][MLEB, iOS, Android] Insecure Direct Object Reference Vulnerability (IDOR)

Added by yap chekying about 1 month ago. Updated 5 days ago.

Status:ClosedStart date:29 July 2025
Priority:HighDue date:
Assignee:yap chekying% Done:

0%

Category:-Spent time:-
Target version:-

Description

Issue:
The IDOR vulnerability occurs when an app exposes internal object references without access control. This allows attackers to access data by manipulating input values. If exploited, IDOR may lead to serious business data breaches.

Recommendation from pentester:
Developers must implement proper access control so that users can only access information or perform actions within a session that are defined by the access rights assigned to that session.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:11 AM

Android-old app to new app.mp4 (19.5 MB) yap chekying, 06 August 2025 10:57 AM

Android-Fresh install, binded 2.mp4 (6.32 MB) yap chekying, 06 August 2025 10:57 AM

Android-Fresh install, binded 1.mp4 (15.5 MB) yap chekying, 06 August 2025 10:57 AM

Android-Fresh install, not bind.mp4 (10.7 MB) yap chekying, 06 August 2025 10:57 AM

iOS-Fresh install, binded.mp4 (7.45 MB) yap chekying, 06 August 2025 10:57 AM

iOS-old app to new app.mp4 (15 MB) yap chekying, 06 August 2025 10:57 AM

iOS-Fresh install, not bind.mp4 (5.13 MB) yap chekying, 06 August 2025 10:57 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 10:58 AM

History

#1 Updated by Hao Ter Tai about 1 month ago

238,070
1/8/2025 [External Audit Findings][MLEB] Insecure Direct Object Reference Vulnerability (IDOR)

Issue:
The IDOR vulnerability occurs when an app exposes internal object references without access control. This allows attackers to access data by manipulating input values. If exploited, IDOR may lead to serious business data breaches.

Solution:
FE will store alias id and pass back to BE for BE checking

#2 Updated by Tan Hi Ann about 1 month ago

  • Status changed from New to Resolved

RC: The IDOR vulnerability occurs when an app exposes internal object references without access control. This allows attackers to access data by manipulating input values. If exploited, IDOR may lead to serious business data breaches.

Solution: BE uses aliasId passed from FE and compare with self constructed aliasId to ensure the same device and user

#3 Updated by Tan Hi Ann about 1 month ago

  • Assignee changed from Tan Hi Ann to yap chekying

#5 Updated by yap chekying about 1 month ago

  • Subject changed from [External Audit Findings][MLEB] Insecure Direct Object Reference Vulnerability (IDOR) to [External Audit Findings][MLEB, iOS, Android] Insecure Direct Object Reference Vulnerability (IDOR)

#6 Updated by yap chekying about 1 month ago

  • Status changed from Pending UAT to Pending PROD

#7 Updated by yap chekying 5 days ago

  • Status changed from Pending PROD to Closed

Also available in: Atom PDF