Skip to main content
MemCyber
High CVSS 8.6 IDOR HackerOne

Disclosure

CRITICAL -- Unauthenticated Order Status IDOR -- 6.2M+ Sipariste Mass Enumeration ve Real-Time Cart Monitoring

/ajax/get-order-status endpoint'i herhangi bir authentication veya authorization kontrolu olmadan, herhangi bir order_id icin siparis durumunu (status, refund_status) dondurur. ~6,210,000+ siparis numarasi enumerate edilebilir. 5 farkli status tipi ifsa edilmektedir: completed, expired, in_cart, sent, apply_refund. Real-time in_cart status izlem

Target
Gaming Marketplace
Category
IDOR
Channel
HackerOne
Disclosed
2026-03

Redaction note

Vendor identity withheld.

This finding is documented here as part of MemCyber’s public disclosure record. The vendor has been anonymized to a sector and region descriptor. Full technical detail — including root cause, reproducible proof-of-concept, remediation guidance, and vendor attribution where granted — is available to qualified prospects under NDA.

Coordinated disclosure

How we handled it.

  • Reported to the vendor via HackerOne with a reproducible proof-of-concept.
  • Triage + remediation window coordinated with the vendor security team.
  • Fix verified before any public reference.
  • This record published only after the embargo period closed.

Similar category

Critical

Unauthenticated IDOR Dumps 1.73M Investor PII and KYC Photos

SEA Investment Platform

 Critical

JWT Forgery + IDOR: Full Account Takeover & Wallet Access POC

Crypto Exchange Platform

 Critical

Unauthenticated Admin Wallet Balance Per-Customer IDOR

African Crypto Exchange

Want the full technical detail?

Named vendor, PoC, remediation — shared under NDA.

Request Assessment