This story was originally published on HackerNoon at: https://hackernoon.com/the-zero-day-deduction.
A bug bounty hunter finds an IDOR vuln in a major tax portal, exposing millions of financial records. A story about privacy, ethics, and the HTTP protocol.
Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity.
You can also check exclusive content about #cybersecurity, #bug-bounty, #privacy, #web-development, #hacking, #fiction, #contest-tags, #api-bug-bounty, and more.
This story was written by: @legit. Learn more about this writer by checking @legit's about page,
and for more stories, please visit hackernoon.com.
While testing a tax software API for a bug bounty, I discovered a critical Insecure Direct Object Reference (IDOR). By changing a single integer in the URL, I bypassed authentication and accessed a stranger's full tax return. I realized I was one script away from downloading the entire country's financial data.
