#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company
Recently, I have found a serious vulnerability in Paytm (India’s largest digital wallet company ). Through which I was able to access every other user’s information containing their bill details, name , address etc. When I first reported to Paytm Security team , they did accept it but didn’t fix it saying “It is according to their functionality and third party issue”.
Then I tested out the same thing in other e-wallet companies like Mobikwik, Freecharge but fortunately they are not doing but they shouldn’t do, this vulnerability and such user information disclosure was not there. I again reported it to Paytm Team and this time they were quick to accept it.
Let’s see the technical details —
While doing online payment for electricity bill, I happened to reach this section —
After filing the required details that is my account number and associated mobile number , I was simply presented with my bill information-
Let’s check the HTTP request triggered —
As it can be seen , mobile number(recharge_number_2) and account number (recharge_number) is getting passed in order to validate the correct combination of both and presenting user with his bill details.But this is not what I thought it should be . I proceeded to change the account number i.e recharge_number parameter keeping any random mobile number and I was able to fetch complete bill details of some other user associated with that account number —
I was expecting Paytm must be having a strong application firewall and they should have placed some throttling over repeated requests but again there was nothing like this . I run intruder (bruteforcing) over consumer number and within couple of hours , I was having thousands of User’s bill information containing their name, address , bill amount , dob etc.
And this is how I was able to access information of other users in Paytm.
Thanks for reading!
~Logicbomb ( https://twitter.com/logicbomb_1 )
27-Nov-2017 — Bug reported to the concerned company.
5-Jan-2018 — Bug was marked fixed.
5-Jan-2018 — Tested and confirmed the fix.
5-Jan-2018 — Rewarded by company.
21-June-2018 — Bug re-opened.
25-July-2018 — Rewarded by company.