@Zer0H1ro@0xJeryy@wolfgang1696@odei_ai If a project is to progress and grow, involve the community in it.
check email i found a vulnerability on your website
@Zer0H1ro@Lunadoteth@odei_ai Thank you for the transparency and the heads-up about https://t.co/IYGN8QJNZv.
I completely understand the challenge with AI-generated spam reports it definitely makes manual review a lot tougher. I appreciate you taking the time to review my submission anyway.
Subject: Vulnerability Report: Insecure Direct Object Reference (IDOR) on /ascent/state
Hi @odei_ai@Zer0H1ro
I found a security flaw (IDOR / Broken Object Level Authorization) on the ODEI platform dashboard that allows anyone to view other users' account state and event histry
@Lunadoteth@Zer0H1ro@odei_ai Perhaps my report didn't meet their criteria.
But I'm also a bit confused about the rules for this Bug Bounty program; there aren't any clear guidelines written down. 😁
@Zer0H1ro@odei_ai Thank you for the clear explanation and for reviewing the report.
I completely understand your perspective regarding the public telemetry read model and how the actor parameter functions within your architecture.
Supposed to be testing autonomous AI agent runtimes and wallet integrations today... 🤖💸
Ended up finding an IDOR bug on the state endpoint because I changed the URL query to a dead address and the server just said "200 OK" and leaked it. Another day of being a tired dev 😭🫣
@odei_ai@Zer0H1ro [ Recommendation ]
Remove the actor query parameter for self-service lookups and derive the wallet identity directly from the decoded session token/cookie on the backend.
Let me know if you need any further logs or details regarding this! 🫡
@odei_ai@Zer0H1ro [ Impact ]
Information Disclosure. If active users or founders have historical data inside lastEvents, an unauthenticated or low-privilege actor can map out their runtime activities, operations, and XP metrics simply by cycling wallet addresses.