What is Pepperfry?
Pepperfry is an e-commerce marketplace that allows users to shop furniture and home decor products.
What is The Flaw?
One of their Internal Authentication API can autologin you to any account or create a new one if the user account does not exist. In the same API response, you can see the information of the user such as Entity id, Name, Email, Phone, About and Gender.
Here Entity ID is the internal user ID, used to recognize the user.
Why is It Big?
Pepperfry has raised over Rs 1,200 crore (about $163 mn) since inception, 6 years ago.(Sources – Economictimes)
More than 1 Million Users have installed Pepperfry through Google play store.
Hackers and Telemarketers can mine the data of Pepperfry by automating a script using a phone number dump found online.
These 1 Million Users are in Risk of getting their information leaked on the web.
How Do I Reproduce The Flaw?
Update: The flaw is fixed and Acknowledged By Pepperfry, and covered by Moneycontrol
– I have created an Automated Script that will login to the account and display the User Information.
Another Script Allow’s You To Change The First Name & Last Name of Any Account on PepperFry:
Using our Flaw, I’ve created a script which allows you to change the First Name & Last Name of Any account on Pepperfry.
You need to Enter the Email ID of your Pepperfry account and the New First Name and Last name for the user account.