Buying A Gift Can Cost You Your PII Data
Almost 1 year ago I reported one PII Data leak to Winni Bug Bounty Program.
After 20+ follow up mail I am disclosing the issue though Winni team fixed the issue silently without responding back.
So the issue is a pretty straight forward IDOR
Winni delivers cake and gift to your loved one , while placing the order before payment its ask for the address.
While selecting the address one POST request made to fetch the address in reference to addressId.
Alter the addressid value to fetch other user's address along with name and phone number.
As the addressId is sequential an attacker can fetch all address available in the database . Which will result mass PII leaks including data such as names, phone numbers and addresses.
PS- Don't waste your time by reporting their bug bounty program.
Thanks for reading, any suggestion feedback are welcome