#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company

Hi Guys,

Recently, I have found a serious vulnerability in Paytm (India’s largest digital wallet company ). Through which I was able to access every other user’s information containing their bill details, name , address etc. When I first reported to Paytm Security team , they did accept it but didn’t fix it saying “It is according to their functionality and third party issue”.

Then I tested out the same thing in other e-wallet companies like Mobikwik, Freecharge but fortunately they are not doing but they shouldn’t do, this vulnerability and such user information disclosure was not there. I again reported it to Paytm Team and this time they were quick to accept it.

Image for post
Image for post
Issue re-reported to Paytm
Image for post
Image for post
Paytm Team Response

Let’s see the technical details —

While doing online payment for electricity bill, I happened to reach this section —

Image for post
Image for post
Online Electricity Payment — Paytm

After filing the required details that is my account number and associated mobile number , I was simply presented with my bill information-

Image for post
Image for post
Bill Details

Let’s check the HTTP request triggered —

Image for post
Image for post
HTTP Request for getting bill information

As it can be seen , mobile number(recharge_number_2) and account number (recharge_number) is getting passed in order to validate the correct combination of both and presenting user with his bill details.But this is not what I thought it should be . I proceeded to change the account number i.e recharge_number parameter keeping any random mobile number and I was able to fetch complete bill details of some other user associated with that account number —

Image for post
Image for post
Other user bill details disclosure

I was expecting Paytm must be having a strong application firewall and they should have placed some throttling over repeated requests but again there was nothing like this . I run intruder (bruteforcing) over consumer number and within couple of hours , I was having thousands of User’s bill information containing their name, address , bill amount , dob etc.

Image for post
Image for post
User Information disclosure
Image for post
Image for post
User Information disclosure

And this is how I was able to access information of other users in Paytm.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )


Report details-

27-Nov-2017 — Bug reported to the concerned company.

5-Jan-2018 — Bug was marked fixed.

5-Jan-2018 — Tested and confirmed the fix.

5-Jan-2018 — Rewarded by company.

21-June-2018 — Bug re-opened.

25-July-2018 — Rewarded by company.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store