So this is another addition to my journey of finding bugs in websites and then helping the companies out in "how to" resolve those bugs.
Today, I read a news that IndiaMart has recently launched a portal for payments and I thought I should try finding a bug in their website.
This time around I found a bug in indiamart.com which is a gigantic and humongous market place for buyers and sellers. I could look at the API calls made and suspect that there was a payment flaw and wanted to test this out.
To confirm, I made a test Buyer account and a Seller account on their website.
Post account creation, I bought a INR 50,000 item from a seller (remember I am the seller also) and then on the payment page the buyer (me) sends in INR 5 only instead of INR 50,000.
This ofcourse was to test "what if I buy something worth INR 50,000 and pay only a smaller amount example INR 5 in this case. And the astonishing thing was, that I could just make a payment of INR 5 and get a confirmation of an order worth INR 50,000.
This in itself was so shocking to me that I started preparing an email to inform IndiaMart about this flaw and request them to fix this asap. However another shocker came very soon, when the IndiaMart customer care team's executive called me up and asked me to provide the account details so that they could transfer the INR 50,000 (Remember, I am the seller as well so ideally they thought they are sending the seller the money).
This made things even more shocking because I was assuming that they would have a second layer of scrutiny post the orders are confirmed but they simply asked account details to send the money. I have given them my account details for now and at the same time I am preparing an email to write to the CEO to let them know about this flaw and the level of security breach that is possible. Because this for me is too much. These guys are ready to send me the money on the account without even verifying anything.
Anyways, I will keep you guys posted about it. Lets help people and make internet a secure place :D
In my last three attempts, I have helped UrbanClap, RailYatri(BlogPost for this coming soon) and BitClub. This one is the most interesting one since here you get the actual money credited into your bank account.
This time around I found a bug in indiamart.com which is a gigantic and humongous market place for buyers and sellers. I could look at the API calls made and suspect that there was a payment flaw and wanted to test this out.
To confirm, I made a test Buyer account and a Seller account on their website.
Post account creation, I bought a INR 50,000 item from a seller (remember I am the seller also) and then on the payment page the buyer (me) sends in INR 5 only instead of INR 50,000.
This ofcourse was to test "what if I buy something worth INR 50,000 and pay only a smaller amount example INR 5 in this case. And the astonishing thing was, that I could just make a payment of INR 5 and get a confirmation of an order worth INR 50,000.
This in itself was so shocking to me that I started preparing an email to inform IndiaMart about this flaw and request them to fix this asap. However another shocker came very soon, when the IndiaMart customer care team's executive called me up and asked me to provide the account details so that they could transfer the INR 50,000 (Remember, I am the seller as well so ideally they thought they are sending the seller the money).
This made things even more shocking because I was assuming that they would have a second layer of scrutiny post the orders are confirmed but they simply asked account details to send the money. I have given them my account details for now and at the same time I am preparing an email to write to the CEO to let them know about this flaw and the level of security breach that is possible. Because this for me is too much. These guys are ready to send me the money on the account without even verifying anything.
Sad Part:
It has been so much time since I mailed the issue to IndiaMart team(Even including their CEO). But none of them has contacted me to get the details about the issue or the vulnerability they have in their payments system. Its not like they have not read my mail. They have definitely read it because the amount of INR 50,000 which they were readily sending earlier is still not sent. This confirms that they have read the mail. But looks like they are too lazy to act.
How can such a big player in the market ignore such a big vulnerability in their website. They can incur loses of crores by this. But who cares!!! Investors money it is. Lets burn it. That petty mentality entrepreneurs today have.
Acknowledging someones hard work(who himself reports the bug instead of exploiting it) is the least one can do but still people fail on that. I could have simply taken their 50,000 and have never reported the issue. But I don't think they realize it.
Will also update this blog with all the details about the issue like process, etc once they fix it.
Note: To read more posts by me in #UnlimitedFree series, go to http://blog.uditagarwal.com/search/label/UnlimitedFree
Thanks for reading this. Please do comment your views on this. Follow me at: https://twitter.com/anomaly2104
Note: To read more posts by me in #UnlimitedFree series, go to http://blog.uditagarwal.com/search/label/UnlimitedFree
Thanks for reading this. Please do comment your views on this. Follow me at: https://twitter.com/anomaly2104