.png)
2 days ago
12 BOOK THIS SPACE FOR AD
ARTICLE AD
I’m a security researcher, and I’ve taken on the challenge of explaining one bug bounty report every day for the next 30 days — 30 days, 30 reports!
Here’s today’s report: Unauthorized Order Modification and Data Exposure
A vulnerability in an online ordering platform allowed attackers to modify other users’ orders, access sensitive information like their physical addresses, and add unwanted items to their carts. Here’s how I uncovered it.
The platform lets users modify their orders before the shopping process begins. However, the system didn’t properly validate whether a user owned the order they were modifying. This oversight allowed attackers to exploit the feature.
Here’s how the bug was discovered:
Place Two Orders:Using two accounts (attacker and victim), I placed two future-dated orders in the same shop.Attacker’s order ID: 1813918441Victim’s order ID: 181396149
Bengali (Bangladesh) · 
English (United States) ·