Leaking Sensitive User Data via IDOR in Tokopedia Endpoint

After a long hiatus with busy activities in RL, I decided to write again in this blog about my experience with Bug Bounty from Tokopedia. While testing Tokopedia program, I find an IDOR vulnerability in one of the endpoints that lets me leaking user sensitive information include name, phone number, address and etc. Tokopedia has allowed me to share this finding but with redacted sensitive information.

Continue reading