Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification

Researcher was able to determine a scenario where it was possible for an attacker to view limited order status updates for orders that meet certain prerequisites. Prerequisites for this scenario were following: 1. WhatsApp status order updates should have been enabled first for the order from the primary number of the user. 2. Order should not have been in the terminal state (not completed/cancelled). Limited Status updates were shown till the order was moved to a terminal state (cancelled/completed). Moreover, past events that were already published were not pushed again. Apart from the order status updates (picked up, on the way, delivered), * It was not possible to view/extract any other information including user details * It was not possible to alter/update/cancel order Root cause of this was due to missing early exit of the validation layer and caching overwrite on the flow that handled subscription request. Thanks to @schutzx0r for responsibly disclosing this issue to us.