China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn
Medium
S
Starbucks
Submitted None
Team Summary
Official summary from Starbucks
xmfc discovered that the staging/non production site at https://reservation.stg.starbucks.com.cn/api/customer/reservation/history allowed anyone to retrieve fabricated test user reservation data by providing a OTP of 111111. @xmfc — thank you for reporting this vulnerability and for confirming the resolution.
Actions:
Reported by
seven6
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Insecure Direct Object Reference (IDOR)