Zomato: [www.zomato.com] Unauthenticated access to Internal Sales Data of Zomato through an unrestricted endpoint

ID H1:263535
Type hackerone
Reporter prateek_0490
Modified 2017-10-27T05:19:38


Internal sales dashboard was open. While running through the JS file I discovered a new endpoint, while reading further I found that it shouldn't have been accessible by anyone else apart from the admin. So, I started to find the correct Post Request and within few mins of fuzzing, I found the correct post parameters which disclosed all the sales data and some employee's performance related data of Zomato.

To all the newbies, about how I found this endpoint, it was a manual effort, using a Chrome debugging tool, I looked into all the JS files manually and searched for admin (CTRL +F) in all the js files. Luckily I found one.