Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.
On the blog post, hackers wrote that while creating accounts on Zomato's site, a user can store his phone number, addresses, date of birth, link Instagram account etc. And these all stored information can be gained from the by exploiting a simple API call function.
Anand Prakash who have discovered a bug in Zomato, which resulted in data leakage of other Zomato users. The bug resides on one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. And just changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users. - he wrote.
About the VulnerabilityInsecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object.
By exploiting the same thing, Anand can see all the Zomato's users details and also gains users Instagram access token, which can be used to see Private photos of Instagram.
Anand intercepts the post request made by the users to the Zomato's server and by just replacing (changing) the browser_id, he managed to gain all users data's.
POST /v2/userdetails.json/XXXXX?&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWvL+sp9/JpwUpItnk8Q=&app_version=188.8.131.52 HTTP/1.1Just replacing the XXXX with the victims id, the above request disclose the victim's data.
Accept-Encoding: gzip, deflate
Anand have reported the vulnerability to Zomato's CEO, and within 24 hours Zomato team had fixed the vulnerability. This time Zomato CEO took the hackers bug reports seriously and fixed the critical bug. Last time Gaana team didn't respond to the hackers reports and faced the data breached.
For the Proof-of-Concepts, Anand had published a video demonstration of the vulnerability.