Hi Guys,
Recently while researching for bug bounty, I have found a very critical vulnerability of IDOR(explained in the last blog) in one of an Indian Shopping websites ( again can't disclose the name for some obvious reasons).
Some of the impact that I was manage to do by exploiting this vulnerability are-
I found this vulnerability in one Shopping website of India.I had the access to all their customer data before the concerned company has patched it after I reported it to them.
Now lets see the steps-
1- Like every shopping websites has, there is a functionality to choose delivery address where customer want to ship his product. When I clicked on my address where I wanted to ship the product and captured the HTTP request, I found that there is an address_id tagged with my address.
The response of the above request contains my delivery address- Full Name, Mobile Number, Mail id, and address.
I reported this vulnerability on 23rd May and it got patched soon after 1 week.
Suggestions, feedback, queries all are welcome :)
Recently while researching for bug bounty, I have found a very critical vulnerability of IDOR(explained in the last blog) in one of an Indian Shopping websites ( again can't disclose the name for some obvious reasons).
Some of the impact that I was manage to do by exploiting this vulnerability are-
- Full Customer Information Disclosure including complete name, Mail Id, phone number , Address.
- Delete address from any user account
- Add address details to any user account.
I found this vulnerability in one Shopping website of India.I had the access to all their customer data before the concerned company has patched it after I reported it to them.
Now lets see the steps-
1- Like every shopping websites has, there is a functionality to choose delivery address where customer want to ship his product. When I clicked on my address where I wanted to ship the product and captured the HTTP request, I found that there is an address_id tagged with my address.
The response of the above request contains my delivery address- Full Name, Mobile Number, Mail id, and address.
2- As can bee seen in the above screenshot, this is my details. Now I tried changing the address_id to some other value like "1985170".
and checked the response.
3- As there was no access control check, I was able to see other user address details. Now bruteforcing this 7 digit number, I was able to dump details of all the customer of the company.
4- Similarly, there is a functionality to delete the address. Clicking on remove address functionality and capturing the request.
5- Now, bruteforcing the address_id parameter , I was able to delete address of any user from his account.
Used the address id that I have got above.
Used the address id that I have got above.
and as expected, I got 200OK .
Now lets check whether the address has been deleted from his account or not.By using the same method by which I extracted his information.
and again as expected the address associated with that particular id is deleted.
6- Similarly, I could add address to any customer account.
Clicked on edit address, and then save. The captured raw request is below-
Clicked on edit address, and then save. The captured raw request is below-
7- Now bruteforcing the address id and the details , I was able to add my address to any user account by just giving address id.
So this is all about this hack- A vulnerability directly affecting company reputation and customer trust.
I reported this vulnerability on 23rd May and it got patched soon after 1 week.
Suggestions, feedback, queries all are welcome :)
-logicbomb
