Api endpoint- Revealed Transaction Details of about Millions of users

Today i will be talking about my one of finding which reveals transaction details of millions of users …..

Lets begin … undestand what is api ?

Api is abbreviation of Application programmming Interface which is used to comunicate with another application without sharing any system password to other application … in simple words

So i was testing the application payment system offcourse lol i love to test them .. While test i noticed when i cancel the the transaction and intercept request via burp there is api comes in request which handles whole thing between their internal storage database and normal webapp and thing i noticed even if i initiated cancelled or done with transaction they were creating transaction id for every payment request ...

How i got this vulnerability ?

1. I refreshed my cancel transaction page and saw api request in burp this endpoint was passing

2. So what next ? yes i removed that encoded part and sended null value there ahha got 400bad request but some hints in response { Have to provide txn_id this hit my mind }

3. After that i changed GET /api/v1/txnstatus/?internal_txn_id=4a0174e87f6d45468efa8dc34657118a {To GET /api/v1/txnstatus/?txn_id=randomdigit}

All i got was users bank account details their mobile numbers and some other non beneficial details as well 😁

Impact:
They were using numeric value of transaction id along with encoded in anotherr endpoint called {api/v1/txnstatus/?txn_id and because of no authentication bearer i can able to retrive millions of user transaction details

Mitigations they did:
Implemented Jwt authentication bearer on their api endpoint related to payments .

Thank you :)
I hope you enjoyed reading along your cup of coffe

Lets connect with me on twitter:
https://mobile.twitter.com/aadesh_namdevv