Monday, December 22, 2008

Hacking --- Was it Myntra !!! ?? Yes !

Hi,



Some of you following me on Twitter already had some smell of the stuff and hack!

We wanted to have few T-shirts for MyKavita.com (which is India's leading Poetry website) and Mobile 4 Mumbai (which is first ever city bus search on mobile still in private beta).

Somehow we found that Myntra is leading provider of personalized stuffs like T-shirt, Keychain, Mug etc and we put the order for few T-shirts !


As always, i was in hacky mind and found that Myntra is open system ! Anyone (even non-authorized) user can get some of the very imp and personal information of Myntra's users like Mobile Number, E-mail, Postal Address, Order amount etc !

Additional to that it was fun (although accidently !) to place the order and get invoice without paying any money :)


Here is few sample screenshots which clearly shows your personal information [your name, id, cell no, phone number, E-mail, Postal Address, Order amount and details etc]











We have reported the issue to Myntra on 21st Dec, Sunday around 5:30 IST.

Myntra's team had called me, got explaination and confirmed the security/Privacy loophole within next 4 hr of reporting.

While publishing this post, Ashutosh from Myntra has taken active roll in managing the fix.

Overall impression:
Still its my first shopping experience, they are quick to revert and slow to act upon. After reporting the issues we do have around 3-4 phone calls etc.

Hope, they deliver the stuff on time [even i had not make payment till. :) ]








Disclaimar :

Offer of free T-shirt for not posting this post is rejected :)

Myntra is knowing that we had not make payment, we asked them we will pay full amount as soon as they provide the account details.

Do not worry for creditcard/netbanking information, it was not accessible !

Suggestion to Myntra to have strict auditing of their system




Update 1 :

-------

me: have look at,
just published !

lawania: ok


me: just check if any issue, let me know. will try to correct it.

lawania: see if you can remove the payment thing..as I called you up and asked that you payment is not approved..

me: Hmm. but then how would i get invoice ?

lawania: seems to be unusual cas .. sofar not got such issue..
but we did not get any confirmation mail for payment..

lawania: Since I was there in office on Sunday and I noticed the issue and immdiately called you


me: hmm. i am puting this chat as update ? is it fine ?
it will clearify to reader.


--------
Update 2:

Ashutosh from Myntra has called me on 26 Dec around 12:00 am [Or 25 dec around 11:55 pm]. He explained me that normally it is not offered in bribing sense, but it is in customer friendly sense. Whatsoever it is he is feeling shame and sorry for the same stuff.

below is the part of E-mai reply,

"We at Myntra are committed for best user experience. We are very serious about for customer data security.We will have complete security audit of our website and fix if there is any loop hole."
--------


Do you know any other hack ? ping me privately to raxit@m4mum.com !



Happy Hacking :)


Raxit Sheth
www.mykavita.com
www.m4mum.com

8 comments:

Sheth Raxit said...

just a note: published after confirmation of Fix from Ashutosh Lawania from Myntra !

Anonymous said...

I appreciate your modesty to refer the issue to the team. The company has to appreciate you efforts to convey and the modesty to be ready to pay each paisa.
There are people who would have prefered to not just complete current order without paying or informing, but also buy many more stuff without anyone coming to know...
I just wonder if the company really gave a thought to this...

Anonymous said...

Oh No ! Can i ask myntra to delete my info ? it is tough to trust now.

Jaynath said...

thanks for the info

Anonymous said...

Nice one Raxit

1 Question and 1 suggestion

Q: What was the hack? Seems like SQL injection to me.

S: While putting such screenshots, camouflage the personal details of users such as mobile number & email address.

Sheth Raxit said...

@Dinesh,

Thanks.i understand your point


@Rohit,
It is not SQLI. It is just happily welcoming GET request with orderid in parameter ! it is more stupid !

If you can send me the blurred image in E-mail. Myntra has not any problem with the imaage, as they were very first to read the blog post, though agree on your point.

Anonymous said...

Really late comment here. But, yeah, in any case.Not sure if Myntra exists anymore or not,but Raxit, your sullying Myntra here is some cheap publicity .. trying to gain for yourself as a hacker perhaps?

I wonder how your life has changed because of that post? Did you monetize it or was it a thoroughly enjoyed ego trip? Duh. Critical but incapable of creation, perhaps.

Sheth Raxit said...

Anonymus,

i dont like anonymus comment except some critical data. Atleast you should do open criticism.

Myntra still exists and i recently ordered from there.

first you read full post, full context and than you write, Ego is always there, but it does not mean every security vulnerability goes to public is for ego or is for monetization

-Raxit Sheth