Business Logic Flaw in Guest Purchase Functionality Exposes PII in a Shopping Application.

Hey everyone! 🎉 It’s Saturday again, and I’m super excited to share my latest adventure in web hacking! This week has been a blast as I dove back into learning how to read code. Today, I want to take you through a vulnerability I discovered on Intigriti, a cool bug bounty platform like HackerOne and Bugcrowd. Big shoutout to Jayesh @Jayesh25 for inspiring this discovery—definitely give him a follow!

Let’s break it down step by step! 🛠️

Step 1: What’s the Guest Purchase Feature? 🤔

Many modern shopping applications let you buy products without signing up. This is super convenient! Imagine someone wanting to only buy underwear—signing up might feel a bit awkward, right? With the guest feature, all you need to do is select the option to purchase as a guest and proceed to payment. Easy peasy! 🍰

Step 2: Spotting the Vulnerability 🔍

Now, here’s where it gets interesting! The vulnerability I found is a business logic issue in the guest buying functionality. When a user (the victim) makes a payment and provides personally identifiable information (PII)—like their home address and phone number—the application stores this information in an insecure way. 😱

Step 3: The Core Problem ⚠️

Here’s the kicker: the application allows anyone to sign up without verifying their email address. This means that an attacker could create an account using the victim's email address, gaining access to their PII linked to that email.

To break it down:

• Email as Identifier: The email address is used to identify the user making the payment.
• Lack of Verification: If the application doesn’t verify email addresses during signup, it opens the door for attackers to access sensitive information just by signing up with the same email or phone number.

Step 4: How It Works 🛠️

Let’s look at how this vulnerability can be exploited:

1. Victim Makes a Purchase: A user buys a product as a guest and provides their PII.
2. Application Stores PII: The application stores this information linked to the user’s email.
3. Attacker Signs Up Using Victim Email Address: An attacker signs up using the same email address as the victim without any verification by the application.
4. Access Granted: The attacker now has access to the victim’s PII because it’s tied to that email.
5. Straight To Payment History: That's where the leaked PII are  normally found.
   

Step 5: How Do Attackers Get the Victim's Email? 📧

You might ask, "How do I get the victim's email?" Well, it’s pretty easy! For starters, I just leaked my email at the end of this blog post. If I hadn’t signed up already and you stumbled across the application, you would have access to all my user data. It’s literally that easy! Just leaving your email anywhere can give an attacker the opportunity to sign up and gain access to your information.

Step 6: What Was Leaked by the Application? 📜

You might also wonder what kind of information was leaked by the application. Here’s a rundown:

• My full name
• Home address
• Phone number
• What I purchased
• And drumroll, please... my payment credentials, including my credit card details!

The application does a decent job of hiding the CVV code, but still, it’s a significant security flaw. While it ended up being a duplicate report, it was really fun to exploit! 😄

Step 7: Key Takeaways 📝

Here are some important lessons I learned from this experience:

• Paying for Extra Functionalities: Sometimes, this can lead to bugs. In my case, while it wasn’t a direct payment issue, it was still accepted as a valid bug that could have earned me a reward! 💰

• Verification Matters: This vulnerability only exists if there is no verification in the signup process or if you find a way to bypass the signup page.

• Understand the Flow: Knowing how the application works is crucial; it helps you identify potential weaknesses to exploit.

  
  

Conclusion 🎊

That’s all for now! Thanks for reading, and I hope you learned something valuable—I certainly did! Before I sign off, here are some blog posts you should definitely check out. They’re packed with great insights:

• A blog on excelling in bug bounty hunting by Shubs: High-Frequency Security Bug Hunting
• An excellent post by Intigriti on CSRF: CSRF: A Complete Guide to Exploiting Advanced CSRF Vulnerabilities
• How to get into web security by the legend James kettle: How to get into web security 

 

CONTACT ME

You can find me on Twitter: @richard_onyeka_ 

Feel free to reach out via email: richardonyeka@duck.com