Sendoso IDOR

I don't generally click on links that promise free money in exchange of doing surveys, but in this case it was Elasticsearch and I suspended my disbelief that they'd try to scam me, I decided why the hell not. I did the survey and a week later I got an e-mail saying my free gift card has arrived, it was nice because that was already more than I would have asked, I won't say no though when it's "free money". Unfortunately though, the link in the e-mail was broken, the promised money wasn't there. I contacted support, took them a bit too long to fix such a major issue (IMHO) but I couldn't complain. However the page I was taken to by the broken link raised questions...


The link everyone gets should in theory nicely redirect to the actual gift card page (as I saw when mine was fixed), but in my case just got stuck there because they had ran out of gift cards by the time I clicked mine. Due to that I noticed the MD5 hash in the URL, just being curious I pasted it into Google and found out it's just a hash of a five-digit number. Oh boy, it can't be, can it?

My link looked like this:<md5 hash>

But it was, it turned out that if one hashes any other number close-by it also works, there's absolutely no authentication if the link given is generated by them or that it has been sent specifically to you. Ironically, only invalid links display a login form, those can be skipped. I don't think I have seen a sillier Insecure Direct Object Reference out there but there it was. What makes it especially bad is that the "objects" in this case are real gift cards.

Somehow Sendoso had managed to make the infamous scam letters promising infinite amounts of gift cards "free and easy" totally true.

Fixed Sendoso page image


  • 23.08.2019 - I got a link to their GC portal
  • 23.08.2019 - Found the vulnerability, e-mailed them
  • 27.08.2019 - I sent an another e-mail, was told that I'll be replied to
  • 09.09.2019 - E-mailed them again, no response, still not fixed
  • 21.09.2019 - Tried e-mailing them again, no response, still not fixed
  • 02.01.2020 - Public disclosure