Oops, Nykaa! How I Almost Ordered ₹1 Lakh Worth of Makeup (Without Even Logging In!)

Imagine waking up one day to find you’ve just ordered a truckload of beauty products from Nykaa, all worth over ₹1 lakh! You didn’t even touch your phone or laptop, but the texts are rolling in, confirming that your shopping spree was a success. What’s happening?! Well, this isn’t a dream, and definitely not a pleasant one — this was the reality of a vulnerability I discovered on Nykaa’s platform.

So here’s how I stumbled upon this bug while casually browsing the site (as one does, in search of the perfect face mask). I realized that, without logging in, you could place a high-value order in someone else’s name just by knowing their phone number. Yes, that’s right — no need for passwords, accounts, or even legitimate emails! Just grab their number, slap an invalid email address in the checkout form, and BOOM — order placed!

### What Was the Issue?

To put it simply: Nykaa had a vulnerability where an attacker could place high-value orders (we’re talking ₹1 lakh+) using someone else’s phone number. Without needing any kind of login or verification, the order would go through, and the victim would be none the wiser until they got that dreaded notification.

Imagine the chaos this could cause! Not only would Nykaa have to deal with the headache of deliveries, but poor victims would be bombarded with order confirmations, tracking notifications, and frantic calls from Nykaa wondering why they just bought the entire stock of a perfume line.

### The Impact? Oof!

This bug was a double whammy for both Nykaa and its users:

1. **Nykaa**: Oh boy, the logistics nightmare! Shipping out high-value products without verification means Nykaa would have to pay for deliveries, even for fraudulent orders. Now imagine that happening on a large scale, with hundreds of orders piling up — what a beauty mess!

2. **Victims**: Imagine the panic. Getting a notification saying you’ve just ordered luxury goods you never even looked at. Stress, confusion, and distrust would definitely follow. Plus, I’m sure nobody wants to start their day by receiving a “Thank you for your ₹1 lakh order!” text.

### How Did It Happen?

Want to try it? Just kidding, don’t! Here’s how the bug worked:

1. **Pick any expensive item** from Nykaa — something worth over ₹1 lakh. Because if you’re going to hack something, why not go big?
2. **Go to checkout** — but don’t bother logging in, it’s not required!
3. **Enter the victim’s phone number**, along with a random (read: fake) email address.
4. **Place the order**, and sit back as the chaos unfolds.

No login, no authentication, and you’ve just sent a mini fortune in someone else’s name. 🎉

### What Should Be Done?

Don’t worry, Nykaa didn’t just leave this sitting on the shelf. Here’s what I recommended to them (in very serious terms):

### Why Is This a Big Deal?

First, Nykaa could suffer major financial losses, not to mention the damage to its reputation. If multiple fake orders were placed, they’d have to pay delivery charges for each one — even if they were later canceled. Multiply that by dozens or hundreds of fake orders, and that’s a lot of money down the drain.

Second, customer trust would be shaken. Getting spammed with notifications for orders you didn’t place isn’t fun, and that frustration could push loyal customers away.

### The Bottom Line?

It was a fun ride discovering this bug (although, not so fun for potential victims or Nykaa’s wallet). Thankfully, I reported it to Nykaa, and they are on top of things now. But hey, remember: even when shopping for beauty products, security should always be the priority!

#security , #noobbughunting, #firsteverbug, #bugbounty