Leak all write ups via IDOR in dreamhack.io

Description

The dreamhack.io is a security education program managed by Theori. In dreamhack, Users can solve wargame challenges and write solutions. At this time, the user can write the solution for a fee/free of charge. I found a vulnerability that could leak all of DreamHack’s Wargame Write Up using a simple IDOR. Unfortunately, I didn’t leak all Write Ups using that vulnerability.


Reporting Timeline

  • 2022-04-04 15h 28m : Reported this issue via the patchday
  • 2022-04-28 01h 37m : Status changed to new by patchday
  • 2022-05-06 18h 01m : Status changed to classified by saika
  • 2022-05-06 18h 13m : Status changed to fixed by saika
  • 2022-05-06 18h 13m : Vulnerability score changed 3pts to 6pts by saika
  • 2022-05-06 18h 13m : Bounty was set at 500,000 won by saika
  • 2022-05-06 18h 14m : Status changed to payment in progress by saika

Reference