Showing posts from June, 2015

[Responsible disclosure] How I could have hacked 62.5 million Zomato Users

Note: This is being published with the permission of Zomato Team. The vulnerability is now fixed. Zomatois an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife for various cities ofIndiaand 21 other countries. It has 62.5 million registered users. While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.
Below are the technical details of the vulnerability:
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result…