Well this bug is P4 ,but if swiggy devs were little more unconscious i would have hit the jackpot ; anyway let’s jump into the topic
It was just an another day when i was super tired after my classes ,and i was thinking to get some snacks ,and being lazy enough i opened Swiggy and ordered some food ,
While my delivery was on its way ,i just came up with a casual idea “Hey, I should try to find bugs on swiggy site ,if something come up”
So as usual I opened the swiggy and logged in and was analyzing all the request and responses
And after sometime i found the response after inputting OTP is interesting
{"statusCode":0,"statusMessage":"done successfully","data":{"addresses":[],"verified":true,"mobile":"**********","juspay":{"cards":{"cards":[],"merchantId":"com.swiggy","customer_id":"88298457"},"merchant_name":"Swiggy","merchant_id":"com.swiggy","return_to_url":"http://www.swiggy.com/justpay/response.php"},"otp":"218678","attempt":1,"token":"96c78b5f-3447-4cc3-aa66-33d0947e7d21f4b28a48-cdba-471d-bc29-ca83b334ec2f","emailVerified":false,"signupSource":"SWIGGY","referral_code":"00DGO6","name":"asdfgh","hasWallet":false,"customer_id":"88298457","email":"piwene3552@brayy.com","mobileUpdateVerified":true,"optional_map":{"SWIGGY_PAY":{"meta":{"schemaVersion":"5.0.0"},"value":{"swiggyPayEnabled":true}},"SUPER_DETAILS":{"meta":{"schemaVersion":"1.0.0"}},"IS_SUPER":{"meta":{"schemaVersion":"1.0.0"},"value":{"superStatus":"NOT_SUPER"}}}},"tid":"c54779b4-3767-4afa-89a9-92528edcfbea","sid":"tz95dee3-6299-4a23-a947-3712a00c1e31","deviceId":"ed4d835f-4d3d-40af-acb1-f562ae742fad","csrfToken":null}
So i tried to see the response by entering wrong OTP
and it was like this
{"statusCode":1,"statusMessage":"OTP expired","tid":"3c79e125-d1f5-4807-887e-684994649be0","sid":"tz95dee3-6299-4a23-a947-3712a00c1e31","deviceId":"ed4d835f-4d3d-40af-acb1-f562ae742fad","csrfToken":null}
I tried to change the boolean value and status code but nothing came up ,then i copied the response of the correct request ,and paste it in the response of invalid one and forward the request
i successfully bypassed the login without entering the correct OTP
Yea! well but the catch is you can’t move too much things in it , like all i can do is just login ,that’s it if i try to see all the account details ,i was getting logged out ,and that’s why it made the impact low :( :(
But weak endpoints in scenerio like this can leads to complete Account takeover which would have make a larger impact….
I hope this writeup is useful for you ….You can follow me up in twitter https://twitter.com/AnonY0gi for more cybersec content ….
