Square: Editing Client Details of other People

ID H1:27357
Type hackerone
Reporter eronx
Modified 2014-11-17T14:30:50


Hi there,

I have found out that there is no "authorization" in which prohibits a user to modify client's data of other users.

As per sample I have two(2) accounts: One freebie account and One subscribed account ( Monthly )

The freebie account has a Client with ID : f42b88d1af62f0a9d240024e83690174. That is :https://www.bookfresh.com/index.html?view=customer&id=f42b88d1af62f0a9d240024e83690174.

Now, I tried to access the same URL as per the other account ( subscribed monthly) and I can read and write on the client detail!

Even when not the merchant of the client, I can still access the client detail and modify it by just knowing the customer ID ( Md5 hash, can be trivially known ).

If you wanted more information regarding this, then let me know.

Cheers, Clifford