Mobile Vikings: Approve topup method by sender of this method

ID H1:47384
Type hackerone
Reporter 4lemon
Modified 2015-03-04T14:17:51


user A has a sim and send auth request to user B user B accepted it and decide to add to shared sim own topup method user B goes to - select shared sim card and select method in section "Choose a payment method" and submit form. User A get an email with link and get a reminder about this request on website.

link from the mail -

link from the ->

Let's open this link in context of user B session - he sent this method and user A should accept it not user B Link from mail - 404 error - good Link from request page - Easy Payment authorization request approved - ?????!!!!! ( i tested on absolutely another user - and got 404 error, so this work only in context of sender or recipient) Let's look closer on request which made by user B to sent this method to user A POST /en/account/easypay/auto-sms-topup/ HTTP/1.1


sim_card=subscription-1036392 and payment_method=debtor_287740 - all info for approve request in sender request.