BugForge - Daily - Ottergram (Repeat)
Daily - Ottergram (Repeat)
This is a repeat of the daily challenge from January 17th, 2026.
Vulnerability Overview
The Ottergram application contains an Insecure Direct Object Reference (IDOR) vulnerability within its WebSocket-based messaging functionality. After creating an account and observing WebSocket activity used for real-time messaging, the messaging workflow was analyzed by manipulating user-controlled identifiers such as recipient_id and messageId within WebSocket events. By sending messages to oneself and inspecting notification traffic, it became clear that the backend trusted client-supplied message identifiers without validating ownership. Modifying these identifiers allowed access to other users’ private messages, highlighting the importance of testing authorization controls on WebSockets and real-time channels during penetration testing.
Key Issues:
- The backend trusts client-supplied identifiers like
recipient_idandmessageIdwithout ownership validation - Authorization checks are missing or inconsistently applied between REST endpoints and WebSocket handlers
- Client-controlled identifiers serve as the sole basis for access decisions in real-time messaging
Vulnerabilities Covered
- IDOR (Insecure Direct Object Reference) via WebSockets
Classification
- OWASP Top 10: A01:2021 - Broken Access Control
- Vulnerability Type: Insecure Direct Object Reference (IDOR)
- Attack Surface: WebSocket-based messaging
- CWE: CWE-639 - Authorization Bypass Through User-Controlled Key