Some Info About Zaggle & Why We Should Refrain ...

Some Info About Zaggle & Why We Should Refrain Using Such Low Security Apps

Score: 3 Votes: 5

Vote down Reasons

  • Better price elsewhere : 1
Score: 3 Votes: 5

Vote down Reasons

  • Better price elsewhere : 1
Score: 3 Votes: 5

Vote down Reasons

  • Better price elsewhere : 1
Giphy
Deal Hunter
200
10,707
31647
713

I got this info from one of my friend, hence sharing with U all so that you can skip using this low security app.

Hi Team,
I am writing this email to notify you of some serious bugs in your app .

Bug 1 :
Bug severity – High
Impact – Huge business loss

You guys are sending OTP in response. This makes users to check the response and extract OTP from there. Do you really think that people like me don’t check app packets . Actually a lot of them do check. They check app packets to see if it is exploitable or not and sending otp in response definitely means it is exploitable. Even if one don’t know how to trace packets using Man in the middle attack, they still know how to access db tables of the app. Have you heard of the app CheatDroid? I am sure, you haven’t. Eveything you save on mobile’s in local storage or SQL DB on mobile, this app can show it to users so those who are not technical enough are simply getting the OTP from cheatdroid and those who are a little technical have made auto scripts to increase refer points. This results in fake accounts , random data and wrong audit info. Stop sending OTP’s in response.

Bug 2 :
Bug Severity : High
Impact : Business loss

Oh, so you have blocked accounts of those who have earned points via scripts or who have many points. Smart People !!!. But here again you did a mistake. Checking if a user is blocked or not only at the time of login, on a very abstract level. For subsequent calls, you don’t check if user is blocked or not. Thats BAD!! . You can buy vouchers from the blocked account. You can see those vouchers. You can redeem those. OH OH !!! Mistake again.

Bug 3:
Bug Severity : High
Impact : Trust loss

So, you have stored all the info of a user in your DB like his name, email, address etc. etc. What it takes to access all those details, is a user id which identfies a user. If I have a use id then i can access all the info of the user, his name, his email, his id, his coupons etc etc by entering his id in the below code

POST http://mobileadmin.zaggle.in/api/_APIClient/Us.... HTTP/1.1
Content-Type: application/json
Content-Length: 56
Host: mobileadmin.zaggle.in
Connection: Keep-Alive
Accept-Encoding: gzip
UserId: 572c24553dcc21227431181d
Authorization: 0be68f1b-a814-416c-b101-19452dca7271
{"request_type":“1”,“UserId”:"572c24553dcc21227431181d"}
So to access some person’s account , what you need is userId of that user. Its very easy to get user id of a person from response

Bug 4 :

You guyz are also sending the refers done by me in the response. what you actually send in the response is his number and name. I got the numbers of all the users who have used my refer code. USign above technique, I can extract all their details and can see their refers, coupons. See, i can extract whole db of users using simple scraping code in python.

I hope , you will fix them soon. I don’t think so I need to explain how to solve these issue. Feel free to get in touch with me if you have any questions

11 Comments  |  
9 Dimers
Th
Deal Lieutenant
4
9
4178
23

Now People will start exploiting more due to your tips.

Giphy
Deal Hunter
200
10,707
31647
713
@speedydeals wrote:

Now People will start exploiting more due to your tips.


Bug Fixed Now.

And btw, kuch to log lootenge, logo ka kaam hai lootna https://cdn2.desidime.com/assets/textile-editor/icon_toungueout.gif

Missing
Deal Lieutenant
9
271
4172
36

That’s why I avoid installing new apps on my primary phone.

Dd av
Deal Lieutenant
7
211
4082
48
@G33kBoyRavi wrote:

@speedydeals wrote:

Now People will start exploiting more due to your tips.


Bug Fixed Now.

And btw, kuch to log lootenge, logo ka kaam hai lootna https://cdn2.desidime.com/assets/textile-editor/icon_toungueout.gif


Is it something to be proud of ? Its a matter of shame that we Indians have degraded ourselves to the dirt that we are justifying these immoral acts .

Giphy
Deal Hunter
200
10,707
31647
713
@bk08 wrote:

@G33kBoyRavi wrote:

@speedydeals wrote:

Now People will start exploiting more due to your tips.


Bug Fixed Now.

And btw, kuch to log lootenge, logo ka kaam hai lootna https://cdn2.desidime.com/assets/textile-editor/icon_toungueout.gif


Is it something to be proud of ? Its a matter of shame that we Indians have degraded ourselves to the dirt that we are justifying these immoral acts .

Who said We are proud of, aap apni naak mere post pe naa adaaye plz :3

Images %286%29
Deal Captain
4
187
13270
220
@bk08 wrote:

@G33kBoyRavi wrote:

@speedydeals wrote:

Now People will start exploiting more due to your tips.


Bug Fixed Now.

And btw, kuch to log lootenge, logo ka kaam hai lootna https://cdn2.desidime.com/assets/textile-editor/icon_toungueout.gif


Is it something to be proud of ? Its a matter of shame that we Indians have degraded ourselves to the dirt that we are justifying these immoral acts .


https://cdn2.desidime.com/assets/textile-editor/icon_smile.gif https://cdn2.desidime.com/assets/textile-editor/icon_smile.gif

Missing
Deal Subedar
2
149
1948
15

Why install app when it can be done through a browser.

 20170729 105713
Budding Star
36
194
15859
193
https://cdn3.desidime.com/assets/textile-editor/icon_lol.gif
Whatsapp image 2017 05 05 at 2.02.47 pm
suspended
39
501
7230
75
bk08 wrote:


Is it something to be proud of ? Its a matter of shame that we Indians have degraded ourselves to the dirt that we are justifying these immoral acts .

There is a choice to use it or not.
No one is forcing no one.
If you don’t use it, you are no saint. If one uses it, he is not a degraded person. So simply keep your comment to your inner self.
Just saying coz it seems making derogatory remarks has become fashion for some individuals and they feel they are making a mark doing so.

Missing