#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company

Hi Guys,

Recently, I have found a serious vulnerability in Paytm (India’s largest digital wallet company ). Through which I was able to access every other user’s information containing their bill details, name , address etc. When I first reported to Paytm Security team , they did accept it but didn’t fix it saying “It is according to their functionality and third party issue”.

Then I tested out the same thing in other e-wallet companies like Mobikwik, Freecharge but fortunately they are not doing but they shouldn’t do, this vulnerability and such user information disclosure was not there. I again reported it to Paytm Team and this time they were quick to accept it.

Issue re-reported to Paytm
Paytm Team Response

Let’s see the technical details —

While doing online payment for electricity bill, I happened to reach this section —

Online Electricity Payment — Paytm

After filing the required details that is my account number and associated mobile number , I was simply presented with my bill information-

Bill Details

Let’s check the HTTP request triggered —

HTTP Request for getting bill information

As it can be seen , mobile number(recharge_number_2) and account number (recharge_number) is getting passed in order to validate the correct combination of both and presenting user with his bill details.But this is not what I thought it should be . I proceeded to change the account number i.e recharge_number parameter keeping any random mobile number and I was able to fetch complete bill details of some other user associated with that account number —

Other user bill details disclosure

I was expecting Paytm must be having a strong application firewall and they should have placed some throttling over repeated requests but again there was nothing like this . I run intruder (bruteforcing) over consumer number and within couple of hours , I was having thousands of User’s bill information containing their name, address , bill amount , dob etc.

User Information disclosure
User Information disclosure

And this is how I was able to access information of other users in Paytm.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )

Report details-

27-Nov-2017 — Bug reported to the concerned company.

5-Jan-2018 — Bug was marked fixed.

5-Jan-2018 — Tested and confirmed the fix.

5-Jan-2018 — Rewarded by company.

21-June-2018 — Bug re-opened.

25-July-2018 — Rewarded by company.

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer @groferseng | DevSecOps | Breaking stuff to learn | Acknowledged by Google, NASA, Yahoo, United Nations, BBC etc.