A vulnerable password reset API made it possible to take over any account and gain admin-level access to the platform. In addition, broken/missing access controls made it possible to access all data on the platform.

The researcher chained an insecure password reset API route to bypass authentication, then discovered an IDOR vulnerability could be leveraged to access sensitive customer data.

For everyone that says “The real world can’t be as easy as training labs make it seem out to be!”, sometime it really do be that ez.