.png)
2 years ago
152 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi There,
Renganathan here.
As the company didn't allow me to reveal their name, so let's keep it as target.com :)
target.com doesn’t have a responsible disclosure program, but still, they do respect security researchers for finding vulnerabilities with cash rewards.
target.com is a ticket booking platform. You can book tickets for events, shows, concerts, sports matches. So, this is a kind of an e-commerce site.
I was testing for an account takeover, and I didn't get it. Then I was testing for a parameter tampering vulnerability and unfortunately, it was not vulnerable for that.
Then I noticed something awesome.
I added the ticket to the cart and proceeded with the payment, at that time I noticed a weird POST request.
{"__v": 0,
"_id": "60cdec09fbd22d00096f8dfe",
"name": "Register Ticket",
"price": 499,
"prime_price": 499,
"min_purchase_amount": 1,
"quantity_available_for_purchase": 1,
"needs_shipping_address": false,
"locked": false,
"description": "",
"is_hidden": false,
"availability_date": "2091-06-26T13:30:00.000Z",
"unlock_url_params": [],
"custom_html": [],
"vendor": "non_seated",
"rewards": [],
"inventory_params": [],
"item_params": [],
"parent": {
"parent_type": "event",
"parent_id": "60cdec09f8dfc"
},
"convenience_fee_percentage": 0.02,
"taxes": [],
"gst": [],
"item_state": "available",
"delivery_charges": 0,
"delivery_type": "pickup",
"restrictions": [
"*"
],
"viewable_on": "all",
"prerequisites": [],
"joining_url": "https://us02web.zoom.us/j/8394287063
pwd=IQmYzRC0T2c5V0RnV9",
"id": "60cdecd2096f8dfe",
"city": "Pan India",
"show_id": "60cdec0aff8e00",
"show_start_utc": 164200,
"show_end_utc": 1624600,
"event_name": "a standup comedy show by an artist",
"event_slug": "event name",
"venue_name": "Online",
"venue_address": "-",
"show_date_string": "July 31| 18 PM",
"itemgroup_name": "Tickets",
"itemgroup_type": "ticket",
"itemgroup_id": "60cdec0a6f8e01",
"buy_button_error_msg": "Please select number of tickets",
"resolved": true,
"count": "1",
"cost": 0,
"added_to_cart": false,
"rewardsFetched": false,
"is_addon": false,
"originalPrice": 0,
"custom_rewards_message": "Move the slider to unlock rewards!",
"check_text": {
"check_title": "RESTRICTED ACCESS",
"check_caption": "This item is locked. Enter the fields below to buy this ticket."
},
"success_text": {
"success_title": "YOU ARE IN!",
"success_caption": "Life is good. You have access to these tickets. Click to get your tickets below."
},
"failure_text": {
"failure_title": "YOU ARE NOT ON THE LIST.",
"failure_caption": "But hey, don't fret. Check out other <a href='/'>shows</a>target."
},
"reward": "",
"convenienceFeeSchedule": [],
"nextUrl": "/event/show-by-an-artist/buy/shows/60cd2d00f8e00/Tickets/60c0008dfe",
"show_animation": true,
"skipPrerequisities": false,
"seats": []
}
Did you just see it
It was the zoom meeting link for the show which is supposed to be accessed only after the payment.
joining_url": "https://us02web.zoom.us/j/8394287063
pwd=IQmYzRC0T2c5V0RnV9
You will receive the zoom meeting link along with the invoice on your whatsapp. But I just added the tickets to the cart and was able to access the zoom meeting link which is leaked in the backend. I reported this to the CEO & CTO and I was awarded $100 for reporting this issue. Also, I was added to the guestlist for the standup comedy show for free ;)
TimeLine:
June 24, 2021, 8:30am - Reported
June 24, 2021, 4:15pm (I guess)- Patched
I retested the patch and confirmed it.
June 28, 2021- Awarded $100 for this issue.
Thanks for reading :)
Stay Safe.
Bengali (Bangladesh) · 
English (United States) ·