Full Admin Account Takeover via Insecure ID Parameter | Bug Bounty PoC

In this video I demonstrate a critical account takeover vulnerability that allowed me to compromise an admin account via an insecure UID-based endpoint. During testing I discovered an endpoint that exposed admin UIDs, and another endpoint that accepted a user id (UID) parameter and returned/updated account details. Because the server did not validate ownership, changing the id to an admin UID allowed viewing and updating that admin’s profile — including replacing the phone number with a number I control. After changing the phone, I was able to authenticate using the updated number, resulting in a complete admin account takeover.

This video is a Bug Bounty Proof of Concept (PoC) recorded with full permission from the organization. I have responsibly disclosed the issue and received approval to publish this demo.

What this video covers (high-level):

Discovery of exposed admin UIDs

How insecure id parameters (UID IDOR) lead to broken access control

Real-world impact: view and edit admin details → account takeover

Responsible disclosure and recommended mitigations

Impact & risk:
This is a critical broken access control / IDOR issue that can lead to full account takeover of privileged users, exposing sensitive data and allowing administrative actions. Immediate remediation is recommended.

Notes:

This video avoids showing destructive actions or step-by-step exploit instructions that could enable abuse.

The work shown here was authorized; do not test systems without explicit permission.

admin account takeover, idor, uid vulnerability, broken access control, bug bounty poc, account takeover poc, ethical hacking, web application security, bug bounty 2025, responsible disclosure,hacking admin accounts,idor bug bounty,account takeover vulnerability,bug bounty live demo,how to find idor,ethical hacking tutorial,critical web app vulnerability,api idor exploit,broken authentication,session hijacking,account security bypass,web security research,penetration testing 2025,web app hacking,how to hack web apps,live hacking demo,bug bounty india,bug bounty pakistan,uid parameter vulnerability,real world bug bounty,full account takeover,cybersecurity awareness,critical bug bounty finding,web application exploit,bug bounty step by step