Everyone
says Hyderabadi Biryani is amazing but if you say you didn't like the
Hyderabadi Biryani you tried, they will ask you which restaurant you
tried it at and then the inevitable answer will be "Oh, that one isn't
good, you should try it at XYZ Biryani House" and so on till infinity.
There is ALWAYS a restaurant where the biryani is better than the one
you didn't like.
I've stumbled upon another security hole at a well know Indian company's website that is leaking their customer's sensitive information.
Just like the Myntra security hole that I found a long time ago (which resulted in them setting up their Responsible Disclosure Policy), this hole too is just something I stumbled upon while using their website regularly. I didn't have to do anything special that a regular user wouldn't do and there is no "hack" involved. It simply seems to be a case of bad implementation or a bug that anyone with a decent technical background can easily recognize and take advantage of.
My Myntra report was in Dec 2013 and in the 7 years since, nothing much has changed with Indian companies taking security seriously or even setting up a basic responsible disclosure policy 😔.
For now I've sent an email to security@ their website address which thankfully didn't bounce and I've also messaged them on a few of their social accounts. Will wait for them to respond and give them time to fix it before publishing more details.
Update (Oct 5, 2020): emails to security@ their website bounced after 24 hrs 😔
 |
| Pic source: https://www.needpix.com/photo/download/929205/key-hole-eye-by-looking-spy-spying-on-watch-burglary-burglar-privacy-policy |
