Buying A Gift Can Cost You Your PII Data

Buying A Gift Can Cost You Your PII Data

Almost 1 year ago I reported one PII Data leak to Winni Bug Bounty Program.

After 20+ follow up mail I am disclosing the issue though Winni team fixed the issue silently without responding back.

So the issue is a pretty straight forward IDOR

Winni delivers cake and gift to your loved one , while placing the order before payment its ask for the address.

While selecting the address one POST request made to fetch the address in reference to addressId.

    POST /checkout/adv/address/select-previous HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101   
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 16
    Connection: close
    Cookie: AWSALBTG=XXX


Alter the addressid value to fetch other user's address along with name and phone number.

As the addressId is sequential an attacker can fetch all address available in the database . Which will result mass PII leaks including data such as names, phone numbers and addresses.


PS- Don't waste your time by reporting their bug bounty program.

Thanks for reading, any suggestion feedback are welcome