Reolink - Download a profile due to IDOR

📌 1. Reporting information

Name : Team Brrester

🧩 2. Overview of Vulnerabilities

Vulnerability title: Download profile photos of others via authentication bypass (IDOR)
Date and time of discovery: 2025.05.24
Discovery Location (URL or System Path) : https://reolink-storage.s3.us-east-1.amazonaws.com/website/uploads/cloud/avatars/951827415007458.jpg
Vulnerability type (CWE ID): CWE-639: Authorization Bypass Through User-Controlled Key
Description of vulnerability: Proper authorization verification on the server side is missing when accessing profile photo resources for the Reolink service. This presents a severe Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to access and download other users' profile photos without permission just by guessing or changing the user identifier (ID) value in the URL.

🔍 3. Details

Affected Products/Services: Reolink Web and Mobile App Services (User Profile Features)
Product Version: App 4.53.1.0.20250526 and then Web Services
Vulnerable Components: Access Control Policies for Profile Photo Resources Stored in Amazon S3 Buckets
Attack Vector: An attacker can identify an unauthenticated and publicly available S3 bucket URL structure and then perform an Enumeration Attack or Brute-forcing on user IDs in predictable numeric format to steal large amounts of user profile photos. The attack can be performed remotely over the network without user interaction.
Reproduction procedure:

This vulnerability verification was performed securely using two test accounts (Account A, Account B) created and owned by the complainant without aggressive scanning.

1. [Understanding URL structure]: Log in to the Reolink mobile app with test account A. After that, analyze the share_reolink.xml file or log in the app's internal repository to see the URL information that fetches the profile picture.

Verified URL format: https://reolink-storage.s3.us-east-1.amazonaws.com/website/uploads/cloud/avatars/{USER_ID}.jpg

Here, {USER_ID} is a user-specific identifier in the same numeric format as 951827415007458.