Auth BypassHackerOneidorauth-bypasscloud-storagexssbiometricchainOPEN

Biometric verification API — full auth bypass chain (IDOR + image exfil + stored XSS)

Found a complete authentication bypass on a biometric challenge API for a major identity verification platform. The chain starts with an IDOR on the challenge endpoint that leaks verification images stored in cloud object storage, then pivots into stored XSS via a crafted payload in the verification metadata field. The IDOR alone exposes PII (biometric selfies). Combined with the XSS, an attacker can hijack active verification sessions. I have a working PoC for the full chain but need a second pair of eyes on the impact assessment and the race condition timing in the session hijack step. High confidence this is Critical — the image exfil alone is a privacy nightmare.