Status DataClose notification

CoinDepo Disclosed Report

Critical IDOR via Username Parameter allows complete account takeover (ATO)

Company
Created date
Aug 14 2025

Target

hidden

Vulnerability Details

Multiple POST requests across the application include a username parameter that the server fully trusts for authorization. The server does not validate whether the provided username belongs to the currently authenticated session.

As a result, an attacker can change the username value to another valid user’s username and perform any action that the original owner could without knowing their credentials.

This issue affects all POST requests where the username parameter is present, making it possible to compromise any account and perform high-impact actions.

Validation steps

  1. Log in to your own account on the platform.

  2. Intercept any POST request that contains the username parameter. Example (structure varies depending on the feature being used):

Host: app.coindepo.com
Content-Type: multipart/form-data; boundary=----boundary

------boundary
Content-Disposition: form-data; name="username"

[email protected]
------boundary
Content-Disposition: form-data; name="client_token"

<your_valid_token>
  1. the action will return 200 OK and will successfully view, modify, delete any request action

POC: Video on Attachments

Attachments

hidden
CommentsReport History
Comments on this report are hidden
Details
Statedisclosed
Severity
Critical
Bounty$5,289
Visibilitypartially
VulnerabilityInsecure Direct Object Reference (IDOR)
Participants
hidden