Cloud Security

[Responsible disclosure] How I could have hacked 62.5 million Zomato Users

This is a post on how I could have hacked 62.5 million Zomato Users. This bug was responsibly disclosed and was fixed within a few minutes.

Anand Prakash

Written by Anand Prakash

February 9, 2018 | 2 min read

Note: This is being published with the permission of the Zomato Team. The vulnerability is now fixed.

While creating an account, the users can store their phone number, addresses, date of birth, link their Instagram account, etc. In one of the API calls, they were reflecting the user data based on the “browser_id” parameter in the API request. Interestingly, changing the “browser_id” sequentially resulted in data leakage of other Zomato users. The data leaked also had an Instagram access token which could be used to see private photos on Instagram of respective Zomato users.

About Zomato

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés, and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.

Vulnerability Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Vulnerable Endpoint

POST /v2/userdetails.json/XXXXX?&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWvL+sp9/JpwUpItnk8Q=&app_version=6.5.0.1 HTTP/1.1
Accept: */*
Content-Length: 214
Accept-Encoding: gzip, deflate
X-Zomato-API-Key: XXXXXXX
Content-Type: application/x-www-form-urlencoded
User-Agent: Zomato/5.0
Host: 1api.zomato.com
Connection: Keep-Alive
Cache-Control: no-cache
lang=en&uuid=pgh1evyBWvL%2Bsp9%2FJpwUpItnk8Q%3D&client_id=Zomato_WindowsPhone8_v2&app_version=6.5.0.1&device_manufacturer=NOKIA&device_name=NOKIA%2520Lumia%25201020&access_token=xyz

Replacing the XXXXX with the victim’s user id in the above request led to information disclosure.

Ease of exploitability

You can easily get the user id of any Zomato user by visiting their profile. They are public and appended to your profile URL.

Proof Of Concept Video:

This bug was responsibly disclosed to Zomato and was fixed within a few minutes by the engineering team.

Disclosure Timeline

June 1, 2015, 09:29 PM: Report sent to Deepinder Goyal, CEO

June 2, 2015, 12:54 PM: Added Gunjan Patidar, CTO, and Shrey Sinha to the mail thread

June 2, 2015, 1:04 PM: Bug acknowledged by Gunjan Patidar

June 2, 2015, 2:01 PM: Confirmation of vulnerability fix from Gunjan Patidar.