I am not a great hacker. But i found some flaws on ecommerce website which is very common even among the top tier ecommerce merchants in India. I have reported all the below in an ethical way to their security teams / founders. Here are the reponses from them just fYI to know how ecommerce companies in India care about their system and security.
The error
A simple error that every programmer makes, focuses on client side validation but no server side validation. Simply the shopping cart system accepts negated quantity values leading to lesser cart amount.
I have reported the same to three ecommerce merchants.
- Myntra – Took the issue very seriously accepted that its an issue on their system and solved on high priority. Gave me a bounty for reporting 🙂 too
- Snapdeal – According to snapdeal that was no issue at all. The security team mailed me saying The orders are not fulfilled in these cases
- Yepme – All the reports vanished into thin air and issue still exists
Here are the responses from each
Myntra
Myntra’s security team got in touch in 10-20 mins. They asked for a clear definition of what it is. Got an email from Abhinav, the AVP – Product engineering from Myntra appreciating the ethical disclosure and assured some bounty. They solved the issues in a day. Got teh appreciation message from Myntra CTO Mr. Shaimik Sharma and he told they are always happy to hear about such disclosure which make them improve. They took it serious as they clearly understood that if its widely done then it can affect their complete stock calculations, even though their fraud protection systems will catch the very low order values of highly valued products. Also after solving the issues they cancelled the order and all cashback and points in my account was reversed with negative values which in turn pointed some flaws there too. This is how Myntra.com dealt with it giving the error on their system an importance and solving it on high priority.
Attaching some screenshots for your ref:
Snapdeal
According to snapdeal that was no issue at all. The security team mailed me saying The orders are not fulfilled in these cases, let us know if you could have the order fulfilled. We already have checks to handle these cases.
Areeee… Yaar i was not reporting that people can purchase and the order is fulfilled i was reporting some issue which could mess up your system. Its your systems fault!. A flaw in an ecommerce system doesnt mean that you can always purchase something for free 😛
And the funny n best part is they didnt accept that as the error in their system. but they solved for it. – Aree yaar you should have admitted that, i never demanded any chocolates from you as bounty :-p
Screenshots:
Yepme
No response at all and the issue still exists
An error never means that you have loss of money, data or performance. It simply means a fault in your code !
A very few accepts the ethical disclosures in India. If we do a hack and make it public then its a big deal. Owise most of them are even not cared to reply!.
So Dear XXX & YYY, It not a BOUNTY that make such reporters happy , A kind word of acceptance is something they value more.
good to see white-hat hacking exercises applied and appreciated in Indian ecom scenario. keep up your efforts .
Thanks dear!.
The first two sites u mentioned are giving me a hard time. my a/c have been hacked on both and an order has been placed on each on different days. contacted CS but their response is very slow. The email notifications continue to flood my inbox saying – order is placed, shipped,delivered etc. Despite the fact that CS have been requested to delete the a/c, continuation of email chain of notifications suck! Shyam, is there is solution to this problem from customer’s perspective? any help is much appreciated.