Business logic: I can order anything from your account without paying for it
1 min read
Summary
The writer discovered a logical flaw in an e-commerce platform’s payment system that allows purchases to be made without proper payment.
The flaw arises because the platform does not verify whether the user placing an order using an unauthenticated account actually owns the contact email used for the order.
This means that an attacker can place an order using a victim’s email address, and the order will be associated with the victim’s account.
This could lead to both unintentional financial loss for the victim if they are charged for orders they did not make, and intentional financial loss or prank purchasing if the attacker chooses to use the victim’s account to make purchases using cashback points.
The issue remains unresolved despite timely reporting.