idsecconf, profile picture
Uploaded byidsecconf
166 views

IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilities in Large-Scale Social Media Platforms–Methodology, Impact, and Case Studies.pdf

This talk presents a practical approach to discovering and responsibly disclosing privacy flaws in major social media platforms. Through three real-world case studies, we show how design gaps can cause data leaks, policy violations, and compliance risks, and discuss their impact on users, trust, and regulation.

Embed presentation

Downloaded 13 times
Discovering and Disclosing Privacy Vulnerabilities in Large-Scale Social Media Platforms IDSECCONF 2025 | 9 November 2025
Mochammad Nosa Shandy Prastyo Cyber Security Consultant Bapak Anak Satu 2 IDSECCONF 2025 whoami.apapedulimu.click root@apapedulimu.click
What is Privacy Vulnerability? 3 IDSECCONF 2025 A privacy vulnerability is a weakness in systems or personal behavior that allows private information to be exposed to unauthorized access, misuse, or harm. IDSECCONF 2025
4 IDSECCONF 2025 Research Framework
5 IDSECCONF 2025 Previous Research
6 IDSECCONF 2025 Regulation
7 IDSECCONF 2025 Their Privacy Policy and documentation help us better understand which behaviors are acceptable and which are not, allowing us to make statements based on their own words.
What question to ask when we want to identify the privacy vulnerability? 8 IDSECCONF2025 Conclusions of the Literature Review Novel Scenario to the rescue! 01 How kind I tailored the well report to indicates that this is privacy vulnerability? Expected behaviour of the features to understand better the vulnerability 04 Do this vulnerability violate their expected behaviour on documentation? Their privacy policy take a place to understand what they do and what they shouldnt do. 03 Do this vulnerability violate Their own privacy policy? Focus on the Regulation concern as the main issues. Do this vulnerability violate Regulations? 02
Bug Hunting 9 IDSECCONF2025 Understanding the scope of work of the bug bounty and which vulnerability to find next. Understanding Scope Prepare tools, software, hardware and mindset Preparing Tools, and methodology to find vulnerability Found vulnerability and also have deeper analysis on the vulnerability Vulnerability Found 01 02 03
10 IDSECCONF2025 Bug Hunting Methodology
Already found vulnerability, but not sure if this is vulnerability? just report it and accept N/A later. 11 IDSECCONF2025 Reporting Step Berdoa agar kita selamat dunia akhirat, apa arti bounty kalau kita masuk neraka. 01 Berdoa biar valid dan di bounty. Yang sopan ya dek ya :D 04 Use proper language and dont be rude :) Always backup your argumentation with data, dont speculate it by yourself. Dont rely on assumptions. 03 Explain why this is the privacy violation mentioned the documentation / regulation. Dont just pointed out the vulnerability, create the novelty scenario why this vulnerability is considered as privacy violation. Create Novelty Scenario 02
12 IDSECCONF2025 Controlling Privacy Overall, can control the main settings related to their kids on the application. Controlling Application Controlling the allowed screen time when use the application Controlling Screen Time Main Features Parents can control privacy setting their kids on this features. Can control kids privacy such as private or public profile, who can comment, who can view the video and etc. Case #1: Family Pairing Features
13 IDSECCONF2025 Family Pairing Features Behaviour: If parents set the comment privacy to "No one," teens cannot change it to "Friends" or "Everyone." If parents set liked videos visibility to "Everyone", teen can still change it to "None," Case #1: Inconsistent Parental Control Over Liked Videos
14 COMPANY NAME Assumptions: Parents set liked videos visibility to "Everyone" (presumably to monitor what their teen likes), the teen can still change it to "None," effectively hiding their liked videos from both the public and their parents. Case #1: Inconsistent Parental Control Over Liked Videos IDSECCONF 2025
15 IDSECCONF2025 I strongly believe if this is an issue, although it might be Low, it’s still issue, right? Lebih baik N/A daripada penasaran.
16 IDSECCONF2025 Team Response: “The teen can change their settings to be more restrictive (but not less restrictive) than their parents allow. However, we do appreciate the novel angle that the parents are then denied the ability to view certain data points on the young users account.” Report is valid with Low severity and I can beli bakso as menu buka Puasa with 500$ on hand.
17 IDSECCONF2025 Privacy Settings Limit the privacy of our account or data deletions and something like that Privacy Preferences Main Features Controlling our privacy account Control the privacy settings, who can view the specific content of ours. Case #2: Privacy Settings on the Profile
18 IDSECCONF2025 Comment Privacy: We can limit our comment to which group can comment, and can limit our content to which group can see our contents. We can choose per/content or globally. Case #2: Privacy Settings on the Profile Comment Privacy: Some settings is impacting on others settings. As an example, when we set the video / content set to “No one” or “Private”, the video and comment will be not visible to others users.
19 IDSECCONF2025 Behaviour: When a user changes the privacy setting from "Public" or "Friends" to "Private," others users should no longer be able to view the video, its content, or the comments section. Case #2: Privacy Settings on the Profile When the users go to the previous content it will be not accessible and cannot see content and the comments sections. However, if we already reply on some comments on the video, we can still view the comments through Activity Log.
20 IDSECCONF2025 Attack Scenario: ● User B comments on the User B video, User A reply the comments. ● User B set "Private" the video ● The video and the comment sections should be private. ● However, User A still can see the User B and User A comment conversation via "Comment History" Case #2: Privacy Settings on the Profile
21 IDSECCONF2025 Team Response: Seeing a parent comment (even from the creator or another user) of your own reply in Comment History is explicitly designed as expected behavior, not a privacy vulnerability.
It’s expected behaviour because we see our own reply in Comment History. How about if we can see the others user comment? IDSECCONF2025 Case #2: Privacy Settings on the Profile
23 IDSECCONF2025 Comment Privacy: There’s some settings that allow us globally setting the comment privacy. When we set the “Allow comments from” sections to “None” globally, our comment section will be not showing anything. Case #2: Privacy Settings on the Profile Maybe I can find some IDOR or something to disclose the comments, right?
24 IDSECCONF2025 IDOR: I’ve found IDOR vulnerability to disclose the comment! To be specific, the replied comments. Fun fact, the IDOR is only be able to disclose the comment when I set the comment globally, when I set to the individual video, the IDOR not work. Weird, right? But It’s vulnerability, right? :’D Case #2: Privacy Settings on the Profile The Missing Pieces: To perform an IDOR, I need two parameter, video ID and Comments ID. Now, how I can get the comments ID from the video that not showing any comments? :’D
25 IDSECCONF2025 IDOR: Remember our “Expected Behaviour” bug? Now it’s time we use it again to get video ID and Comments ID to complete our IDOR Case #2: Privacy Settings on the Profile (Filling) The Missing Pieces: (Theoretically) We can get video ID and Comments ID from comment history and use it as our IDOR exploitations!
IDSECCONF2025
27 IDSECCONF2025 Team Response: The likelihood of this vulnerability being exploited is virtually nonexistent as there is no practical way to obtain the required comment_id and item_id parameters. But still, is valid vulnerability with Low severity. You can beli bakso with this 500$
28 IDSECCONF2025 Limitation Due Regulations GDPR and COPPA required parents consent to allow application interact with their child data. Lack Of Consent Of Parents Main Features As you know, the teens / young users is being limited because of the regulations. Some of features is limited because of regulations and privacy policy Case #3: Teens / Young Users Privacy Privacy policy explicitly said if people under 18 years old cannot be able to access the some features. Privacy Policy
29 IDSECCONF2025 Promotions Features Behaviour: Young users cannot be able to promote their video / content by their own. Access to promotional tools will be “unavailable”. Privacy policy explicitly said if people under 18 years old cannot be able to access the features. Case #3: Teens / Young Users Privacy
30 IDSECCONF2025 Assumptions: Young users might be unable to access the promotional tool from their own. But do other people can be able to promote young users content? IDOR anyone? Case #3: Teens / Young Users Privacy
31 IDSECCONF2025 Understanding the Features Found out that I cannot be able to perform IDOR on the others users content. Noticing that there’s some “collaborative” features that allowed us to promote others users content. Case #3: Teens / Young Users Privacy
32 IDSECCONF2025 Attack Scenario: ● Teens Upload the video as public video ● Teens access the collaborative features and set it to “Allow promotion requests from anyone” ● Others users will automatically be able to promote the Teens video Case #3: Teens / Young Users Privacy
33 IDSECCONF2025 Team Response: “Thanks for the report, keep up the good work, here’s 2,500$ for your good work”
Conclusions 34 IDSECCONF2025 The main focus on privacy vulnerability is: ● Refer it to Regulation / Privacy Policy ● Create Novelty Scenario based on fact and not just assumptions.
Conclusions 35 IDSECCONF2025 Privacy vulnerability is new scope to explore on the bug bounty, might be lack of references for now, but worth to try. Just try your best, and let Allah handle the rest.
36 Thank you!

More Related Content

PPTX
Kristen
bykristenb25
 
PPTX
Kristens
bykristenb25
 
KEY
Intellectual Freedom, Privacy and Social Media
byElizabeth T. "Eli" Edwards
 
PPTX
Thierer Internet Privacy Regulation
byMercatus Center
 
PPTX
Kristen
bykristenb25
 
PDF
Privacy flip book assignment film 260 queensu kc
byCatherine Cowperthwaite
 
PDF
6: privacy terms
byCOMP 113
 
PPTX
Privacy & the Internet: An Overview of Key Issues
byAdam Thierer
 
Kristen
bykristenb25
 
Kristens
bykristenb25
 
Intellectual Freedom, Privacy and Social Media
byElizabeth T. "Eli" Edwards
 
Thierer Internet Privacy Regulation
byMercatus Center
 
Kristen
bykristenb25
 
Privacy flip book assignment film 260 queensu kc
byCatherine Cowperthwaite
 
6: privacy terms
byCOMP 113
 
Privacy & the Internet: An Overview of Key Issues
byAdam Thierer
 

Similar to IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilities in Large-Scale Social Media Platforms–Methodology, Impact, and Case Studies.pdf

PPTX
Facebook case study
byHelal Al-Helal
 
PDF
Privacy & Social Media
bychuckbt
 
PPT
internet privacy presentation cranor.ppt
bysofad84562
 
PPTX
New media and privacy
byIeva Ivascuka (Ivashuk)
 
PPT
Cybersecurity & Privacy: What's Ahead for 2017 - ALA Midwinter 2017
byProQuest
 
PPT
Social Distortion: Privacy, Consent, and Social Networks
bydariphagen
 
PPT
Privacy On The Web
byQuynhBanh
 
PPT
Privacy On The Web
byQuynhBanh
 
PPT
Privacy On The Web
byQuynhBanh
 
PPT
Privacy On The Web
byQuynhBanh
 
PPT
Privacy On The Web
byQuynhBanh
 
PPTX
Presentation 2SOCIAL MEDIA AND THE FUTURE OF PRIVACY & SECURITY
bygailmowal
 
PPTX
Understanding Users' Privacy Motivations and Behaviors in Online Spaces
byJessica Vitak
 
PPTX
Podcamp 2010 Defaulting Privacy
byThe Espresso Group
 
PPT
Social media and Missing workshop
byRay Brannon
 
PPTX
Designing for Privacy NY Studio—10/04/21
byRobert Stribley
 
PDF
Implementation of Privacy Policy Specification System for User Uploaded Image...
byrahulmonikasharma
 
PDF
Did facebook kill privacy
byJason Fernandes
 
PPT
Introduction to Privacy and Social Networking
byJason Hong
 
PDF
Privacy in the digital era
byCHEMISTRY AGENCY
 
Facebook case study
byHelal Al-Helal
 
Privacy & Social Media
bychuckbt
 
internet privacy presentation cranor.ppt
bysofad84562
 
New media and privacy
byIeva Ivascuka (Ivashuk)
 
Cybersecurity & Privacy: What's Ahead for 2017 - ALA Midwinter 2017
byProQuest
 
Social Distortion: Privacy, Consent, and Social Networks
bydariphagen
 
Privacy On The Web
byQuynhBanh
 
Privacy On The Web
byQuynhBanh
 
Privacy On The Web
byQuynhBanh
 
Privacy On The Web
byQuynhBanh
 
Privacy On The Web
byQuynhBanh
 
Presentation 2SOCIAL MEDIA AND THE FUTURE OF PRIVACY & SECURITY
bygailmowal
 
Understanding Users' Privacy Motivations and Behaviors in Online Spaces
byJessica Vitak
 
Podcamp 2010 Defaulting Privacy
byThe Espresso Group
 
Social media and Missing workshop
byRay Brannon
 
Designing for Privacy NY Studio—10/04/21
byRobert Stribley
 
Implementation of Privacy Policy Specification System for User Uploaded Image...
byrahulmonikasharma
 
Did facebook kill privacy
byJason Fernandes
 
Introduction to Privacy and Social Networking
byJason Hong
 
Privacy in the digital era
byCHEMISTRY AGENCY
 

More from idsecconf

PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Obrina Briliyant, Hendra Rudiansyah - Network Packet Security...
byidsecconf
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
IDSECCONF2025 - Baskoro Adi Pratomo - Game untuk Pembelajaran Keamanan Siber.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
IDSECCONF2024 Capture The FLag Write up - 3 MAS MAS
byidsecconf
 
PDF
IDSECCONF2024 - Rifqi Hilmy Zhafrant - Hunting and Exploiting GraphQL Vulnera...
byidsecconf
 
PDF
IDSECCONF2024 - Arief Karfianto - AI-Enhanced Security Analysis in Requiremen...
byidsecconf
 
PDF
IDSECCONF2024 - Ryan Fabella, Daniel Dhaniswara - Keamanan Siber Pada Kendara...
byidsecconf
 
PDF
IDSECCONF2024 - Angela Oryza - ITS Nabu-Platform Pelatihan Keamanan Siber den...
byidsecconf
 
PDF
IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
byidsecconf
 
PDF
IDSECCONF2024 - Muhammad Dwison - The Implementation Of One Pixel Attack To S...
byidsecconf
 
PDF
IDSECCONF2024 - Kang Ali - Local LLM can Simulate Apt Malware With Jailbreak ...
byidsecconf
 
PDF
IDSECCONF2024 - Brian Nasywa - Comparison of Quantum Key Distribution Protoco...
byidsecconf
 
PDF
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
byidsecconf
 
PDF
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
byidsecconf
 
PDF
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
byidsecconf
 
PDF
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
byidsecconf
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
IDSECCONF2025 - Obrina Briliyant, Hendra Rudiansyah - Network Packet Security...
byidsecconf
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
IDSECCONF2025 - Baskoro Adi Pratomo - Game untuk Pembelajaran Keamanan Siber.pdf
byidsecconf
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
IDSECCONF2024 Capture The FLag Write up - 3 MAS MAS
byidsecconf
 
IDSECCONF2024 - Rifqi Hilmy Zhafrant - Hunting and Exploiting GraphQL Vulnera...
byidsecconf
 
IDSECCONF2024 - Arief Karfianto - AI-Enhanced Security Analysis in Requiremen...
byidsecconf
 
IDSECCONF2024 - Ryan Fabella, Daniel Dhaniswara - Keamanan Siber Pada Kendara...
byidsecconf
 
IDSECCONF2024 - Angela Oryza - ITS Nabu-Platform Pelatihan Keamanan Siber den...
byidsecconf
 
IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
byidsecconf
 
IDSECCONF2024 - Muhammad Dwison - The Implementation Of One Pixel Attack To S...
byidsecconf
 
IDSECCONF2024 - Kang Ali - Local LLM can Simulate Apt Malware With Jailbreak ...
byidsecconf
 
IDSECCONF2024 - Brian Nasywa - Comparison of Quantum Key Distribution Protoco...
byidsecconf
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
byidsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
byidsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
byidsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
byidsecconf
 

Recently uploaded

PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
PPTX
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
Agentic AI presentation with Python Exercises
byParth Mane
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 

IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilities in Large-Scale Social Media Platforms–Methodology, Impact, and Case Studies.pdf

  • 1.
    Discovering and DisclosingPrivacy Vulnerabilities in Large-Scale Social Media Platforms IDSECCONF 2025 | 9 November 2025
  • 2.
    Mochammad Nosa ShandyPrastyo Cyber Security Consultant Bapak Anak Satu 2 IDSECCONF 2025 whoami.apapedulimu.click root@apapedulimu.click
  • 3.
    What is PrivacyVulnerability? 3 IDSECCONF 2025 A privacy vulnerability is a weakness in systems or personal behavior that allows private information to be exposed to unauthorized access, misuse, or harm. IDSECCONF 2025
  • 4.
  • 5.
  • 6.
  • 7.
    7 IDSECCONF 2025 Their PrivacyPolicy and documentation help us better understand which behaviors are acceptable and which are not, allowing us to make statements based on their own words.
  • 8.
    What question toask when we want to identify the privacy vulnerability? 8 IDSECCONF2025 Conclusions of the Literature Review Novel Scenario to the rescue! 01 How kind I tailored the well report to indicates that this is privacy vulnerability? Expected behaviour of the features to understand better the vulnerability 04 Do this vulnerability violate their expected behaviour on documentation? Their privacy policy take a place to understand what they do and what they shouldnt do. 03 Do this vulnerability violate Their own privacy policy? Focus on the Regulation concern as the main issues. Do this vulnerability violate Regulations? 02
  • 9.
    Bug Hunting 9 IDSECCONF2025 Understanding thescope of work of the bug bounty and which vulnerability to find next. Understanding Scope Prepare tools, software, hardware and mindset Preparing Tools, and methodology to find vulnerability Found vulnerability and also have deeper analysis on the vulnerability Vulnerability Found 01 02 03
  • 10.
  • 11.
    Already found vulnerability,but not sure if this is vulnerability? just report it and accept N/A later. 11 IDSECCONF2025 Reporting Step Berdoa agar kita selamat dunia akhirat, apa arti bounty kalau kita masuk neraka. 01 Berdoa biar valid dan di bounty. Yang sopan ya dek ya :D 04 Use proper language and dont be rude :) Always backup your argumentation with data, dont speculate it by yourself. Dont rely on assumptions. 03 Explain why this is the privacy violation mentioned the documentation / regulation. Dont just pointed out the vulnerability, create the novelty scenario why this vulnerability is considered as privacy violation. Create Novelty Scenario 02
  • 12.
    12 IDSECCONF2025 Controlling Privacy Overall, cancontrol the main settings related to their kids on the application. Controlling Application Controlling the allowed screen time when use the application Controlling Screen Time Main Features Parents can control privacy setting their kids on this features. Can control kids privacy such as private or public profile, who can comment, who can view the video and etc. Case #1: Family Pairing Features
  • 13.
    13 IDSECCONF2025 Family Pairing Features Behaviour: Ifparents set the comment privacy to "No one," teens cannot change it to "Friends" or "Everyone." If parents set liked videos visibility to "Everyone", teen can still change it to "None," Case #1: Inconsistent Parental Control Over Liked Videos
  • 14.
    14 COMPANY NAME Assumptions: Parents setliked videos visibility to "Everyone" (presumably to monitor what their teen likes), the teen can still change it to "None," effectively hiding their liked videos from both the public and their parents. Case #1: Inconsistent Parental Control Over Liked Videos IDSECCONF 2025
  • 15.
    15 IDSECCONF2025 I strongly believeif this is an issue, although it might be Low, it’s still issue, right? Lebih baik N/A daripada penasaran.
  • 16.
    16 IDSECCONF2025 Team Response: “The teencan change their settings to be more restrictive (but not less restrictive) than their parents allow. However, we do appreciate the novel angle that the parents are then denied the ability to view certain data points on the young users account.” Report is valid with Low severity and I can beli bakso as menu buka Puasa with 500$ on hand.
  • 17.
    17 IDSECCONF2025 Privacy Settings Limit theprivacy of our account or data deletions and something like that Privacy Preferences Main Features Controlling our privacy account Control the privacy settings, who can view the specific content of ours. Case #2: Privacy Settings on the Profile
  • 18.
    18 IDSECCONF2025 Comment Privacy: We canlimit our comment to which group can comment, and can limit our content to which group can see our contents. We can choose per/content or globally. Case #2: Privacy Settings on the Profile Comment Privacy: Some settings is impacting on others settings. As an example, when we set the video / content set to “No one” or “Private”, the video and comment will be not visible to others users.
  • 19.
    19 IDSECCONF2025 Behaviour: When a userchanges the privacy setting from "Public" or "Friends" to "Private," others users should no longer be able to view the video, its content, or the comments section. Case #2: Privacy Settings on the Profile When the users go to the previous content it will be not accessible and cannot see content and the comments sections. However, if we already reply on some comments on the video, we can still view the comments through Activity Log.
  • 20.
    20 IDSECCONF2025 Attack Scenario: ● UserB comments on the User B video, User A reply the comments. ● User B set "Private" the video ● The video and the comment sections should be private. ● However, User A still can see the User B and User A comment conversation via "Comment History" Case #2: Privacy Settings on the Profile
  • 21.
    21 IDSECCONF2025 Team Response: Seeing aparent comment (even from the creator or another user) of your own reply in Comment History is explicitly designed as expected behavior, not a privacy vulnerability.
  • 22.
    It’s expected behaviourbecause we see our own reply in Comment History. How about if we can see the others user comment? IDSECCONF2025 Case #2: Privacy Settings on the Profile
  • 23.
    23 IDSECCONF2025 Comment Privacy: There’s somesettings that allow us globally setting the comment privacy. When we set the “Allow comments from” sections to “None” globally, our comment section will be not showing anything. Case #2: Privacy Settings on the Profile Maybe I can find some IDOR or something to disclose the comments, right?
  • 24.
    24 IDSECCONF2025 IDOR: I’ve found IDORvulnerability to disclose the comment! To be specific, the replied comments. Fun fact, the IDOR is only be able to disclose the comment when I set the comment globally, when I set to the individual video, the IDOR not work. Weird, right? But It’s vulnerability, right? :’D Case #2: Privacy Settings on the Profile The Missing Pieces: To perform an IDOR, I need two parameter, video ID and Comments ID. Now, how I can get the comments ID from the video that not showing any comments? :’D
  • 25.
    25 IDSECCONF2025 IDOR: Remember our “ExpectedBehaviour” bug? Now it’s time we use it again to get video ID and Comments ID to complete our IDOR Case #2: Privacy Settings on the Profile (Filling) The Missing Pieces: (Theoretically) We can get video ID and Comments ID from comment history and use it as our IDOR exploitations!
  • 26.
  • 27.
    27 IDSECCONF2025 Team Response: The likelihoodof this vulnerability being exploited is virtually nonexistent as there is no practical way to obtain the required comment_id and item_id parameters. But still, is valid vulnerability with Low severity. You can beli bakso with this 500$
  • 28.
    28 IDSECCONF2025 Limitation Due Regulations GDPRand COPPA required parents consent to allow application interact with their child data. Lack Of Consent Of Parents Main Features As you know, the teens / young users is being limited because of the regulations. Some of features is limited because of regulations and privacy policy Case #3: Teens / Young Users Privacy Privacy policy explicitly said if people under 18 years old cannot be able to access the some features. Privacy Policy
  • 29.
    29 IDSECCONF2025 Promotions Features Behaviour: Young userscannot be able to promote their video / content by their own. Access to promotional tools will be “unavailable”. Privacy policy explicitly said if people under 18 years old cannot be able to access the features. Case #3: Teens / Young Users Privacy
  • 30.
    30 IDSECCONF2025 Assumptions: Young users mightbe unable to access the promotional tool from their own. But do other people can be able to promote young users content? IDOR anyone? Case #3: Teens / Young Users Privacy
  • 31.
    31 IDSECCONF2025 Understanding the Features Foundout that I cannot be able to perform IDOR on the others users content. Noticing that there’s some “collaborative” features that allowed us to promote others users content. Case #3: Teens / Young Users Privacy
  • 32.
    32 IDSECCONF2025 Attack Scenario: ● TeensUpload the video as public video ● Teens access the collaborative features and set it to “Allow promotion requests from anyone” ● Others users will automatically be able to promote the Teens video Case #3: Teens / Young Users Privacy
  • 33.
    33 IDSECCONF2025 Team Response: “Thanks forthe report, keep up the good work, here’s 2,500$ for your good work”
  • 34.
    Conclusions 34 IDSECCONF2025 The main focuson privacy vulnerability is: ● Refer it to Regulation / Privacy Policy ● Create Novelty Scenario based on fact and not just assumptions.
  • 35.
    Conclusions 35 IDSECCONF2025 Privacy vulnerability isnew scope to explore on the bug bounty, might be lack of references for now, but worth to try. Just try your best, and let Allah handle the rest.
  • 36.