How I was able to access customer details of a food startup. #Responsible _Disclosure

Sriram Kesavan
3 min readApr 29, 2019

It was a very pleasant bad day working on my 8th startup based on Food Production Soru specializing on Non-Veg. Yeah being on startup it is a tough journey to gain customers and beating the existing startups on the market.

Fine, being a 21 year old with more than 50 capable dishes on menu we were not able to receive orders. Yeah, some heavy competitors here. Those guys were on top of market and we were on the bottom of everything.

On the edge of stress, depression and heavy loss there arose my bad mind. Yeah the H4cker on my mind came out. I thought of taking a look at my competitors website. I don’t wanna mention them but still it exits.

It was amazingly a F**kin template, it had just a link for their application on Play-store and Apple App store but even the app that didn’t even exist.

It was a Static website and so couldn't find a way to enter into it. Wait a second, what about the contact page…No it was not built with form instead a mail ID and Phone Number was listed. But still there existed a page to register for a franchise model…BINGO !!

No it was not :( it was another f**kin template where i tried all my skills from Text Injection to RCE but nothing was working…

Again back to depression state…

What about Spider…

A spider is a program that visits Web sites and reads their pages and other information in order to create entries for a search engine index. The major search engines on the Web all have such a program, which is also known as a “crawler” or a “bot.”

With an half mind back to Burp gave a hard click on Spider the host…

I was able to find the sensitive files stored on a folder that can be viewed by the public. There also existed a page to place an order and amount to be paid. And another simple parameter tampering where the values are passed on plain text. Paid 20 Rupees for my order worth 1500 rupees well that was amazing order placed…

The sensitive files exposed more than 10,000 customer data with all the recent orders placed by the customers, their name, phone number, email ID, address, order placed by them and the mode of payment even exposing the some card details on file OrderDetailsList.

Timeline:

Jan 10, 2019 : Bug reported through mail

Present time : NO RESPONSE !!

Lesson Learnt : Always spider the host which may reveal some important files which must not be exposed to the public.

--

--

Sriram Kesavan

Google VRP Security Researcher | Founder TG Cyberlabs❤️ | Cybersecurity Researcher | H4cking is Fun !!