PII Disclosure of Apple Users ($10k)

Tracking Your Order
  • APP characters are fixed.
  • We have 7 numbers after APP which can be brute forced.
Blank Page
Get Order Status Details
Setting up Attack in Intruder
Found Valid orderno and disclosed Shipping Information
  • I made a detailed PoC and Reported this Vulnerability to Apple.
  • After a while, Apple Fixed the Vulnerability and Requested me to check the Fix.
Removing /api/Home/GetOrderStatus
No Order Status Details in the Response
Script to Encrypt the values with CryptoJS and Brute Force the Order Number
Brute Force Succeeded and Disclosure of Shipping Information
  • Apple requested me to send the Bypass Details in a New Report since the Old Fix is Successful and the Vulnerability is now found in a different Endpoint.
  • Apple confirmed the Vulnerability And Rewarded me the first half of the Bounty.
  • Apple Took some time to implement a new Fix.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder at Cybit Sec | Managing Director at Resecurity®.