Summary: Using this vulnerability, a user can use his account to claim Zomato Gold benefit several times in the same restaurant within one day.
Description: Based on Zomato Gold terms and condition, Zomato Gold can be used only once at each partner restaurant in a day. But I think it doesn't work that way.
I have found improper validation in Zomato Android app, on Zomato Gold feature. This vulnerability allows a user to claim Zomato Gold benefit ( 1+1 complementary food or 2+2 complementary drinks) in the same restaurant on a single day. This potentially could be abused by users to share his account to their friends, so they can get the Zomato Gold benefit without subscribing or doing multiple claim in one day. I think this bug potentially bring loss to Zomato if not fixed immediately.
Since I can't take a screenshot of my page while on Visit ID page, I use additional phone to take a picture and video, I hope you still understand.
Platform(s) Affected: [website/mobile app] Android mobile app
Zomato Gold Terms and Conditions, please take a look at point number 3 F412882 https://www.zomato.com/conditions?country_id=94&page_type=SUBSCRIPTION&gold_plan_page=1
As I said before, this vulnerability allows one user to claim Zomato Gold benefit several times at one parner restaurant. Lets say after visiting cafe A using Zomato Gold, he lends his account to his friend so his friend could also get the benefit of Zomato Gold without subscribing. He could also use it for himself if he use it for lunch and dinner on the same restaurant.