Daily BugForge Challenge CafeClub(new)
- Hey everyone — 404Yeti here, back with another BugForge challenge.
Today we’re revisiting Cafe Club, but this time we’re focusing purely on an IDOR vulnerability and how it can scale into something much worse: mass account takeover.
Let’s break it down. ❄️
Step 1: Create 2 accounts
For this vulnerability, we need 2 accounts in order to manipulate the data
so lets keep in mind that the first user will have the id of 5 and the second user will have the id of 6
Step 2: Change your password
so for user two I am going to change the password to trigger the api
now lets look at then request in caido
So we can see that the API triggers the ID 6. So let's pretend we don't know any other users, and we may want to do some password spraying.
Step 3: Automate and highlight the target
We will do a simple numbers check from 1 to 10, highlighting 6 in the id
so something really interesting happened! We were able to successfully change 10 people's passwords
So here we do see the flag, but it was surprisingly shocking to snap 10 people's passwords like that
CVSS
Let’s break it down:
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector | Network (N) | Exploitable via API |
| Attack Complexity | Low (L) | No special conditions |
| Privileges Required | None (N) | No auth needed for other users |
| User Interaction | None (N) | Fully automated |
| Scope | Changed (C) | Impacts other users |
| Confidentiality | High (H) | Full account access |
| Integrity | High (H) | Password modification |
| Availability | Low (L) | Not directly disruptive |
Vector Score:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LWhy this matters
This vulnerability exists in real applications more often than people think.
If exploited in production:
- Attackers can reset thousands of accounts
- Steal personal or financial data
- Escalate privileges (admin takeover)
- Completely compromise the platform
This is how breaches happen.
Final Thoughts
This challenge is a perfect reminder:
- Start small (one request)
- Then think bigger (automation)
- Then think impact (real-world damage)
Most people stop at:
👉 "Oh it’s IDOR"
But the real question is:
👉 "What happens at scale?"
❄️
"One broken endpoint is bad.
Ten broken accounts? That’s a headline."