That’s how much your private information worth is!!!

                               Information Leakage of users while checkout Functionality

  1. So After purchasing the product and during checkout and specifying shipping address your web application sends a request to find the customer address and other information.

Picture1

The Web Request which is send by the web application can be intercepted with the burp suite

Picture2.png

The squared box area is the response send by the server. The Response contains user information such as name ,mobile number and address.

Picture2

Similarly, Other User Information could be easily fetched by just changing the id parameter

Picture4

 

All of these users information can be fetched by this simple python script.

Download the python script from here: https://filehost.net/2a1c7542c4f6b694

The password is Z00mbie

Running The Script Will Give you the information related to every user present in  the database

Picture7

I reported to the company that is how they responded back

 

at this age i cant handle this amount of money and fame so i m returning it.

Screen Shot 2018-08-21 at 1.14.45 PM

Beware they don’t treat your information confidentially in terms of security. 

2 thoughts on “That’s how much your private information worth is!!!

  1. Firstly, its a small company. Having no bug bounty program.
    Secondly, why did u exploit it, why did you test it.They have no bug bounty program.
    Thirdly, why you making the user data public and then saying “Beware they don’t treat your information confidentially in terms of security. ” , you yourself doing the same thing and not treating the information confidentiality in a proper way. LOL.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s