Razer: SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog

The tester determined the Razer Pay API server was vulnerable to a SQL injection that could allow the exposure of user information. Razer Fintech appreciates the clear and detailed PoC...

Razer: Insecure HostnameVerifier within WebView of Razer Pay Android (TLS Vulnerability)

The tester discovered the Razer Pay Android application was vulnerable to a client side hijack which could have allowed the capture of important user data. Razer Fintech thanks the tester for their clear PoC...

Razer: RXSS at https://api.easy2pay.co/inquiry.php via txid parameter.

The tester discovered a reflected XSS on an API server related to Razer Pay TH. Note this is not a site that users will typically visit via a web browser front end. Razer thanks the tester for his diligence and the clear report...

Razer: [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted

The Razer Pay MY backend API had an access control vulnerability which would allow a client to delete the account of other users by varying the ID. Although an adversary could not target a specific individual by name, they could affect the integrity of the Razer Pay system. This was fixed in...

Razer: Improper Authorization at https://api-my.pay.razer.com/v1/trxDetail?trxId=[Id] allowing unauthorised access to other user's transaction details

The tester determined that the Razer Pay backend server could be exploited to obtain transaction details from another user. Razer Fintech appreciates the detailed report and clear PoC...

Razer: [Razer Pay Mobile App] IDOR within /v1_IM/friends/queryDrawRedLog allowed unauthorised access to read logs

The tester determined the Razer Pay MY server was vulnerable to unauthorized access of certain log file information due to an exposed signature in the Razer Pay Android application. Razer Fintech appreciates the clear and detailed report...

Razer: [Razer Pay] Broken Access Control at /v1/verifyPhone/ allows enumeration of usernames and ID information

The tester discovered an API endpoint with insufficient access control that could allow an adversary to obtain user name and phone number information. Razer Fintech thanks the tester for his clear PoC and diligence in helping us secure our customers' information...

Razer: Accessible Druid Monitor console on https://api.pay-staging.razer.com/

The tester discovered a monitoring application was available on a remotely accessible administrative console in the Razer Pay staging environment, which could have been used to leverage information that could have compromised the server. The Razer Pay team removed this and other similar servers...

Razer: Insecure Logging - OWASP (2016-M2)

The tester discovered that the Razer Pay Android application was storing user data locally on the phone in the clear. An adversary would need access to the phone to obtain this information. The application was patched to avoid storing this information in version 2.10...