What is SonyLIV?
SonyLIV is a South Asian internet television channel and subscription video-on-demand service operated by Sony Pictures Networks in India and Pakistan.
What is the Flaw?
The flaw exists in one of their APIs that allows you to log in to any Sonyliv account, fetch sensitive user information, and perform all sorts of operations on the victim’s account.
It risks Information like Name, Date of Birth, Email, Address, Mobile Number, Profile Picture, and more.
The attacker can harvest these accounts to perform social engineering and other attacks.
Why is it, Big?
Sonyliv has over 100 Million User Installs on Google Playstore, and this vulnerability is risking every information of all these users to get leaked online. (Ref: Google Playstore)
How can you reproduce the flaw?
I’ve made a script to send a request to this API and fetch user information, along with the authentication token to access other APIs on Sonyliv.
Your data will be displayed below.....
==============================
