Sendoso IDOR

I don't generally click on links that promise free money in exchange of doing surveys, but in this case it was Elasticsearch and after suspending my disbelief, I decided why the hell not. A week after completing the survey I got an e-mail saying my free gift card has arrived, it was nice because that was already more than I would have asked. Can't say no to "free money" though.

My appreciation ended quickly, the link in the e-mail was broken, the promised money wasn't there :(. I contacted support, took them a bit too long to fix such a major issue (IMHO) but can't really complain about a gift.

However, the broken link I was sent raised questions...

Description

The link everyone gets should (in theory) nicely redirect to the actual gift card page (as I could see myself, after mine was fixed). In my case it just got stuck, because it turned out they had ran out of gift cards by the time I clicked mine. Only because of that simple mistake I noticed the MD5 hash in the URL, just being curious I pasted it into Google and found out it's just a hash of a five-digit number.

Oh boy, it can't be, can it?

With a link looking like this: https://sendoso.com/egift_cards/<md5 hash>

Noooo, it can't be. But it was, if one hashes any other number close-by it also works, there's absolutely no authentication if the link given is generated by them, or if has been sent specifically to you. Ironically, only invalid links display a login form, those can be skipped. I don't think I have seen a sillier Insecure Direct Object Reference out there but there it was. What makes it especially interesting is that the "objects" in this case are real gift cards.

Somehow Sendoso had managed to make the infamous scam letters promising infinite amounts of gift cards "free and easy" totally true.

Fixed Sendoso page image

Timeline

  • 23.08.2019 - I got a link to their GC portal
  • 23.08.2019 - Found the Sendoso vulnerability, e-mailed them
  • 27.08.2019 - Contacted them via their chat, was told that they'll take a look at the e-mail
  • 27.08.2019 - I sent an another e-mail, was told that I'll be replied to
  • 09.09.2019 - E-mailed them again, no response, still not fixed
  • 21.09.2019 - Tried e-mailing them again, no response, still not fixed
  • 02.01.2020 - Public disclosure
  • 07.04.2020 - Sendoso contacted me. They are claiming they've fixed the vulnerability. I have not confirmed they have.