I got this info from one of my friend, hence sharing with U all so that you can skip using this low security app.
I am writing this email to notify you of some serious bugs in your app .
Bug 1 :
Bug severity – High
Impact – Huge business loss
You guys are sending OTP in response. This makes users to check the response and extract OTP from there. Do you really think that people like me don’t check app packets . Actually a lot of them do check. They check app packets to see if it is exploitable or not and sending otp in response definitely means it is exploitable. Even if one don’t know how to trace packets using Man in the middle attack, they still know how to access db tables of the app. Have you heard of the app CheatDroid? I am sure, you haven’t. Eveything you save on mobile’s in local storage or SQL DB on mobile, this app can show it to users so those who are not technical enough are simply getting the OTP from cheatdroid and those who are a little technical have made auto scripts to increase refer points. This results in fake accounts , random data and wrong audit info. Stop sending OTP’s in response.
Bug 2 :
Bug Severity : High
Impact : Business loss
Oh, so you have blocked accounts of those who have earned points via scripts or who have many points. Smart People !!!. But here again you did a mistake. Checking if a user is blocked or not only at the time of login, on a very abstract level. For subsequent calls, you don’t check if user is blocked or not. Thats BAD!! . You can buy vouchers from the blocked account. You can see those vouchers. You can redeem those. OH OH !!! Mistake again.
Bug Severity : High
Impact : Trust loss
So, you have stored all the info of a user in your DB like his name, email, address etc. etc. What it takes to access all those details, is a user id which identfies a user. If I have a use id then i can access all the info of the user, his name, his email, his id, his coupons etc etc by entering his id in the below code
POST http://mobileadmin.zaggle.in/api/_APIClient/Us.... HTTP/1.1
So to access some person’s account , what you need is userId of that user. Its very easy to get user id of a person from response
Bug 4 :
You guyz are also sending the refers done by me in the response. what you actually send in the response is his number and name. I got the numbers of all the users who have used my refer code. USign above technique, I can extract all their details and can see their refers, coupons. See, i can extract whole db of users using simple scraping code in python.
I hope , you will fix them soon. I don’t think so I need to explain how to solve these issue. Feel free to get in touch with me if you have any questions