Note: This post is not written to disclose any existing flaw. Issue discussed below is fixed by team and not impacting any individual/organisation any harm. It is just for the awareness purpose.
In today’s era, when technology is booming and developing countries like India adopting it very quickly.. number of start-ups are getting into the market to try their luck in various domains. Either we talk about 3D-printing, home automation, IOT or everyone’s favourite e-commerce, we see number of players putting all their efforts to get early mover advantage and beat the competition. But when technology is helping humans for doing all the things with ease and brands making trust bond with their customers, have you imagine how secure is it to get these things on a click of button and transacting online. We know that technology is enhancing daily and hence the security but being a normal user, we are not aware of few vulnerabilities that still exists. Even a techie cannot identify these vulnerabilities unless he goes deep and tries to find them. It is not a flaw in the system or carelessness of team members but it’s really a difficult part to go and identify each issue and when it comes to hacking, we can say none of the existing application is 100% secure. Most of the major applications including Dropbox, Google, Sony has been hacked in past.
I am writing this blog post just to aware you regarding one of the issue i found on one of the major e-commerce player in India –Snapdeal. I came across Cross-site Scripting (XSS) vulnerability in search box of mobile version of snapdeal i.e. “m.snapdeal.com”. As wiki says “Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.” With this attack, user can steal the cookies of any other user & login into their account without needing their passwords. (Not going more technical, you could be fooled and lose your account control).
I mailed the issue with detailed steps to reproduce and above screenshot to snapdeal security team. Unfortunately, Snapdeal doesn’t replied me to this issue, they were neither accepting it nor rejecting it (as I got no response, I was not aware what was going internally). But persistence pays and after lot of emails to their security team & CEO, it ended up with fixing of issue after more than 1 month. It’s great that no bad guy identified & exploited it before the fix.
P.S. Snapdeal has still not replied to my mail. If anybody from Snapdeal is reading this article, consider it as a suggestion to analyze these sort of issues ASAP after identification and reply to all users like me , it would be motivation to ours to find more issues and help organisation building a robust & secure technology infrastructure.