Site having 300 million active users from almost over the world suffers from information disclosure vulnerability that puts million of users information under risk.
An Israeli application security researcher Amitay Dan have discovered the critical vulnerability on Ali Express, Researcher have reported the flaw to Ali Express and also provided the full disclosure of the vulnerability to Israel media and THN.
For better explanation of the bug Amitay have provided a video demonstration of the vulnerability which explain the details information about flaw.
According to the video Proof-Of-Concepts of the flaw, Ali Express allows logged in user to add/update their shipping address and contact number at the following URL i.e. http://trade.aliexpress.com/mailingaddress/mailingAddress.htm?mailingAddressId=123456
and here 123456 is the user Id. Researcher Amitay have changed the value of the mailingAddressId parameter with random digits, and this manipulation of the users ID leads to expose of the users information.
Ali Express site failed in validation and thus shows the respective users details on the same page. This was simple but was very critical as attacker can grab personal information of millions of users just by randomly changing the Users ID.