Logging into your Big Basket Account Leads to Cart Items Deleted.
Hello everyone, hope you all are doing well in this quarantine time period. Today i am going to write about a business logic error bug i found in Big Basket Android application. As we know most security problems are weaknesses in an application that result from a broken or missing security control (authentication, access control, input validation, etc…). By contrast, business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. According to Wikipedia:
A logic error is a bug in a program that causes it to operate incorrectly, but not to terminate abnormally (or crash). A logic error produces unintended or undesired output or other behaviour, although it may not immediately be recognized as such.
So let’s get started. It all started when i was trying to order groceries through Big Basket app. I spent more than an hour searching and adding items in my cart for ordering in the next available slot and when i was preparing for checkout, it asked me to first log into my account. I logged into my existing account through my Google account and suddenly my cart became empty. Yeah you heard it right. Now imagine you spent more than an hour finding grocery items to order in next available slot and suddenly your items are vanished. How frustrating this situation is specially when you are in a nation wide lockdown and you need to wait many days to get your groceries delivered to your home. All your efforts are gone.
Impact:
- This damages company’s valued reputation.
- Customer looses the opportunity to place their order on time. (Slot full till you place your order again)
- Customers may stop using company’s application. (Situation of chaos and anger)
I reported this vulnerability to their security team but like the typical Indian bug bounty program they didn’t responded to my email in which i clearly demonstrated this vulnerability with a PoC video and well explained written text. After waiting few days and finding out that i am not the only one who is facing this issue from Big Basket and due to their security team’s negligence i thought of disclosing this bug through a writeup. This is a typical Indian company mentality and Big Basket is doing nothing new in this. Below i am attaching a link to the PoC video i made.
Timeline:
12th April 2020 → Bug spotted and reported to Big Basket.
14th April 2020 → Emailed security team for confirmation.
19th April 2020 → Disclosed bug through writeup.
This is the reason i never do Indian Bug bounty and Responsible Vulnerability Disclosure Programs.
Tested On:
Android version 8.1.0 (Oreo)
Latest version of Big Basket Android app.
PoC Link:
https://drive.google.com/open?id=1UAWaHWsMHyWpxHhUZ-FOvthcV61UIscK
