Status DataClose notification

CoinDepo Disclosed Report

IDOR in Add New Loan (USDT) Feature - Coindepo

Company
Created date
Aug 16 2025

Target

hidden

Vulnerability Details

Hy Team Have Good Day

Summary

Critical IDOR vulnerability in /api/get_user_loan allows accessing any user's loan data by simply changing the username parameter to victim's email.

Impact

  • Access any user's USDT loan information
  • View sensitive financial data of other users
  • User enumeration via email addresses

Root Cause

No authorization check that authenticated user matches requested username parameter.

Fix

if (authenticated_user !== request.username) {
    return 403;
}

Validation steps

Vulnerable Request:

POST /api/get_user_loan HTTP/2
Host: app.coindepo.com

[email protected]  ← Any user's email
amount=54654
coin_id=2

Test Results:

Attachments

hidden
CommentsReport History
Comments on this report are hidden
Details
Statedisclosed
Severity
Critical
Bounty$5,289
Visibilitypartially
VulnerabilityInsecure Direct Object Reference (IDOR)
Participants
hidden