I've stumbled upon another security hole at a well know Indian company's website that is leaking their customer's sensitive information.
Just like the Myntra security hole that I found a long time ago (which resulted in them setting up their Responsible Disclosure Policy), this hole too is just something I stumbled upon while using their website regularly. I didn't have to do anything special that a regular user wouldn't do and there is no "hack" involved. It simply seems to be a case of bad implementation or a bug that anyone with a decent technical background can easily recognize and take advantage of.
My Myntra report was in Dec 2013 and in the 7 years since, nothing much has changed with Indian companies taking security seriously or even setting up a basic responsible disclosure policy 😔.
For now I've sent an email to security@ their website address which thankfully didn't bounce and I've also messaged them on a few of their social accounts. Will wait for them to respond and give them time to fix it before publishing more details.
Update (Oct 5, 2020): emails to security@ their website bounced after 24 hrs 😔
Pic source: https://www.needpix.com/photo/download/929205/key-hole-eye-by-looking-spy-spying-on-watch-burglary-burglar-privacy-policy |