Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Sending Unlimited Emails to anyone from zomato mail server.

None
Z
Zomato
Submitted None

Team Summary

Official summary from Zomato

We've been receiving similar issues, disclosing it publicly so that everyone reading this report can know that this is out of scope and hence going forward will be closed as N/A.

Actions:
View on HackerOne
Reported by bihari_web

Vulnerability Details

Technical details and impact analysis

Improper Restriction of Authentication Attempts
**Summary:** Zomoto provides developers to get the rich data of restaurant from their API. https://developers.zomato.com/api But here there is a security issue that can we exploited against zomato's Simple Email Server on Aws. **Description:**When we request the api_key from zomato they ask us for our email address and if the registration is successful then the developer would receive the confirmation email and they would get the api key. But there is no limit on number of times we can request the api_key. Although we get the same api_key every time but every time a email is sent to the specified email (This can we email of anyone). **Platform(s) Affected:** Website ## Steps To Reproduce: 1. Go to this url https://developers.zomato.com/api and click on the generate api key button. >Note:- This button is only shown to the users those who have not generated the api_key before. 2 . Intercept the request in proxy you would get a post request ``` POST /php/developer HTTP/1.1 Host: www.zomato.com Connection: close Content-Length: 223 Accept: application/json, text/javascript, */*; q=0.01 Origin: https://developers.zomato.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: https://developers.zomato.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,fr;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: PHPSESSID=f735ebfd3e11e47782417af48ab7ee23700ba818; context=api&action=generate_api_key&plan=premium&token=c8bb20d4e575cf91aa8028ac9802a050&name=VIPIN+BIHARI&email=<ANY_EMAIL>&phone=8127411000&company=XYZ.com&country=1 ``` F454847: Screenshot from 2019-03-30 10-31-02.png 3 . Now Attacker can Brute force the same request ( as above ) any numbers of times and the attacker would be able to send api_key email to anyone many times. ## Impact 1. The attacker can send api_key email to anyone ( It will be a spam mail for anyone ) any number of times and there making there mailbox out of storage. 2. It cost money to send emails to anyone and here the company may have the financial loss (If attacker tries to send thousands of mail ).

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Improper Restriction of Authentication Attempts