Logo

dev-resources.site

for different kinds of informations.

Caught in the Crunch My Journey from Snacks to 2 Million Exposed Users Privacy

Published at
11/30/2024
Categories
privacy
cybersecurity
reverseengineering
Author
programmerraja
Author
14 person written this
programmerraja
open
Caught in the Crunch My Journey from Snacks to 2 Million Exposed Users Privacy

Hey there! Welcome back! Today, I want to share a surprising story about how a simple ₹10 cashback offer from a biscuit packet led to a big security mistake. It’s a wild ride, so let’s dig in!

The Snack Adventure

it was a weekend, and I was working on my personal project, feeling a little hungry. I decided to grab some biscuits (I’ll keep the brand a secret). As I opened the packet, I discovered a QR code promising cashback if I scanned it. Of course, my curiosity got the better of me!

I grabbed my phone, scanned the code, and found myself on a website asking me to sign up with my mobile number. After verifying my number with an OTP (a code they texted me), I was prompted to scan a 16-digit number from the packet and upload it. Then came the fun part I had to cut the biscuit into a specific shape on a digital canvas on there website. Based on my creation, I earned 53 points and got a â‚ą10 cashback. They even had a leaderboard where I could see my score!

Leaderboard

A Developer’s Curiosity Kicks In

As I basked in my biscuit victory, my inner tech nerd started asking questions. How does this all work? I decided to do a little digging.

First, I tracked the OTP process. The app sent my name and phone number to an endpoint called /v1/auth/register, and just like that, I got my OTP. After I entered it, they hit another endpoint, /v1/auth/verify-otp, and I received this response:

{
  "user": {
    "role": "user",
    "isVerified": true,
    "isBlocked": false,
    "bonusPoints": 0,
    "name": "xxxxxxx",
    "mobileNumber": "xxxxxxxxx",
    "id": "670bc1615a6eac9288930248"
  },
  "tokens": {
    "access": {
      "token": "JWT token",
      "expires": "date"
    },
    "refresh": {
      "token": "JWT token",
      "expires": "time"
    }
  },
  "score": { "userScore": 155, "userRank": 6895 }
}
Enter fullscreen mode Exit fullscreen mode

Here’s the kicker: they were using JWT tokens for authentication and MongoDB as their database. Everything seemed fine until I went to the leaderboard page.

The Shocking Discovery

When I checked the leaderboard at the /v1/users/leaderboard endpoint, I couldn’t believe my eyes. The response included users’ phone numbers! Check this out:

{
  "message": "ok",
  "leaderboard": [
    {
      "rank": 1,
      "userId": "mongodb ID",
      "name": "name",
      "mobileNumber": "xxxxxxxx",
      "bonusPoints": 60,
      "totalMatchPercentage": 52367,
      "score": 52427
    },
    ....other users details
  ]
}
Enter fullscreen mode Exit fullscreen mode

Can you believe it? They were exposing phone numbers right there! This was a huge security flaw.

After discovering this, I noticed that they followed a standard structure for their API endpoints, with each one starting with version_number/module/, where the module indicates components like auth and users.

Curious, I decided to check another endpoint, /v1/users. Initially, it responded with an "unauthorized" message. However, when I tried again using my token, I was shocked to find that it returned user data in a paginated format.

Oh my God the data included more than 200,000 users an enormous amount of sensitive information exposed!

{
  "results": [
    {
      "activationCodes": [],
      "role": "user",
      "isVerified": true,
      "isBlocked": false,
      "bonusPoints": 60,
      "name": "xxxxxxxxx",
      "mobileNumber": "xxxxxxxxx",
      "city": "xxxxxxxx",
      "dob": "xxxxxx",
      "email": "xxxxxxxxxxx",
      "gender": "",
      "pincode": "",
      "platform": "xxxxxxx",
      "id": "xxxxxxx"
    },
    ...
  ],
  "page": 1,
  "limit": 10,
  "totalPages": 23315,
  "totalResults": 233145
}
Enter fullscreen mode Exit fullscreen mode

To download all user data i just add query params as ?limit=233145 I could easily download all user data just by tweaking a query parameter.

Wrapping It Up

After uncovering these issues, I immediately contacted the company, explaining the problems and urging them to fix it. It’s vital for companies to protect user data, especially when they’re running promotions.

So, what’s the takeaway? Always be careful with the information you share online. And businesses need to make sure they have strong security measures in place.

What do you think about this situation? Have you ever encountered similar issues? I’d love to hear your thoughts in the comments!

privacy Article's
30 articles in total
Favicon
Is the SIP protocol making a comeback?
Favicon
How Private Internet Access (PIA) VPN Enhances Online Privacy, Security, and Performance
Favicon
Why Authorization Matters and How Cerbos Revolutionizes It
Favicon
Privacy in the Digital Age: How to Stay Secure Online
Favicon
Does Coinbase support call you?
Favicon
IPFighter's DNS Leak Check: Safeguard Your Privacy
Favicon
IPFighter's IP Address Lookup: Uncover Detailed Insights
Favicon
Your Data, Your Privacy: How VPNs Hide Your Identity
Favicon
Your rich text could be a cross-site scripting vulnerability
Favicon
Azure OpenAI vs OpenAI
Favicon
It’s cybersecurity’s kryptonite: Why are you still holding it?
Favicon
Practical Ways to Safeguard Your Personal Data
Favicon
Caught in the Crunch My Journey from Snacks to 2 Million Exposed Users Privacy
Favicon
PII: Your Digital Fingerprint - Don't Let it Fall into the Wrong Hands!
Favicon
The Digital Canary: Decoding Telegram's Silences
Favicon
Protect Sensitive Data on AWS: A Beginner’s Guide to Amazon Macie
Favicon
I created PACMAN - not what you think 👀👀
Favicon
Local LLMs: The Future of Private AI Computing? A Complete Guide for 2024
Favicon
The AI Paradox in Digital Identity: Why More Security Might Mean Less Privacy (And What to Do About It)
Favicon
how i built a local first audio transcription: building a privacy-first voice processing pipeline
Favicon
CCPA vs. CPRA: The Privacy Battle That Could Change Your Business Forever
Favicon
Ethical Considerations in Implementing AI Solutions in Your Business
Favicon
Into to Federated Learning
Favicon
🖥️ Tails OS: A Security-Focused, Privacy-Enhanced Operating System
Favicon
Day 1 : Daily Notes for #30DayOfFLCode
Favicon
How to Install a Private OpenVPN Server on Ubuntu 22.04
Favicon
Reasons Why Temporary Virtual Numbers Are Essential for Developers
Favicon
Apple Intelligence: Pioneering AI Privacy in the Tech Industry
Favicon
Running AI locally in your users' browsers
Favicon
Data Protection in the Digital Age

Featured ones: