India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance

mr_intrusionist discovered an Insecure Direct Object Reference (IDOR) which affects the https://card.starbucks.in/StarbucksMSRModule/starbucksGetCardData.do endpoint through the cardId parameter. This allowed an authenticated, but unauthorized user to iterate cards and view the balance. @mr_intrusionist — thank you for reporting this vulnerability and confirming the resolution.