#BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk!

Hi Guys,

This particular hack is from my initial days of bugbounty hunting and the main reason to pick this up from the vault is not to describe the technique used to find the vulnerability but -

To expose and highlight the poor security standards in the IT industry and bring to the attention , the major security loopholes which are left unattended even by big firms and spread awareness among companies to take information security as importantly as any other branch.

Let’s see what was the complete scenario-

Just like every online shopping website has the functionality of allowing the user to select the address where he wants to ship the product, Naaptol was also having the same thing-

Shipping Address HTTP request during payment

and the response of the above request contains the address including user complete details associated with that address id.

User Address Details

And here’s loading a classic case of Insecure Direct Object Reference (IDOR) , I changed the address id to some other number (which is found to be incremental) from 17917835 to 17917837 and without any surprise, I was able to see full details of other user associated with that ID, which includes sensitive details like victim’s full name, complete address, mobile number etc.

Accessing other user details
Accessing other user details

and then I run intruder , bruteforced the address id and was able to fetch complete details of a large number of users of Naaptol.

Naaptol User Details
It is also sad to see that still many companies fail to appreciate and acknowledge the efforts of ethical hackers who are trying to make the internet a safer place to surf. With the intent and hope that such articles create a positive change in bringing information security upfront.

Report details-

05-May-2016 — Notified the Naaptol team via mail.

Conversation dropped by Naaptol team in between.

Later vulnerability found to be fixed.

06-June-2016 — Notified the team for the responsible disclosure

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )