Exploiting JWT Token Leads To IDOR🔃

Hi, Ajak Amico’s welcome back to another blog today. In this blog, I will show how I found an IDOR vulnerability by exploiting JWT token, this specific attack can unsubscribe users from marketing email without users interaction so Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)

Follow on Instagram: AjakCybersecurity

Recon:

So I used this google dork to find the a specific target

inurl: responsible disclosure Intext: blockchain

Target Name: flow.com

This Google dork will fetch you all VDP programs related to blockchain, so I just randomly went to a website (flow.com). Upon entering, the first thing which popped up in the browser was ‘Subscribe to newsletter’.

After entering my email, I was redirected to my account hosted by Substack. Upon subscribing to the newsletter, I received an email from the target, saying ‘You are now subscribed,’ similar to the screenshot below.