← all writeups
Bug Bounty

Chaining an IDOR into Full Account Takeover

Jan 20, 2026 · 6 min · by Abhishek Bhaskar (Abhi HackZ)

This is a starter/example post. Replace it with your real writeup.

During a private engagement I found what looked like a low-severity IDOR on an order-details endpoint. On its own it leaked another tenant's order metadata — annoying, but not critical.

The chain

  1. The id parameter accepted any order ID with no ownership check.
  2. Order objects embedded the customer's password-reset token.
  3. That token could be replayed against the public reset endpoint.

Chained together, a "low" became a full account takeover for any user whose order ID I could guess or enumerate.

Takeaways

Abhishek Bhaskar (Abhi HackZ)
Security Analyst & VAPT Engineer
Book a free 30-min security scoping call →