How We Found a Critical Bug That Leaked Chennai Residents’ Information

Listen to this Post

🐢▶️ Listen🚀

Have you ever stumbled upon something unusual while casually browsing a website? Sometimes, the biggest security flaws hide in plain sight.

The Curious Observation

During the recent Pongal holidays, one of our family members received a message about paying their Chennai Metro Water tax. Out of curiosity, we opened the link—and what we saw was shocking.

It didn’t ask for an OTP or password. Instead, it directly displayed personal details like:

• Name
• Mobile number
• Address
• Payment amount

The Investigation Begins

As security enthusiasts, we couldn’t ignore this. Even without a laptop, we started digging in using just a mobile phone.

The URL looked something like this: `https://example.com/code`

Using Termux, we sent a simple curl request to analyze it further:

curl -X GET "https://example.com/code" -i

The response revealed a redirect header leading to another URL: `https://lnkd.in/gPRpuyuV`

When we followed it, the server sent a POST request with the `id` parameter and responded with sensitive information:

• Name
• Address
• Mobile number
• Email ID
• Payment history
• Balance amount
• VIP status

The Discovery

What happens if we change the `id` value to a random number? 🤔

To our surprise, it exposed another person’s data. This confirmed an IDOR (Insecure Direct Object Reference) vulnerability—a serious issue where anyone could access other users’ private information by modifying a simple parameter.

We immediately stopped testing and documented our findings. ✅

Reporting the Bug

The next day, we compiled a detailed Proof of Concept (PoC) and reported the issue to the Government of India. 🇮🇳

The Outcome:

We discovered two critical IDOR bugs that could have exposed the personal data of thousands of Chennai residents.

The Lesson?

Security issues are everywhere—sometimes, all it takes is curiosity and a keen eye to spot them. Keep exploring, keep learning, and most importantly, always report responsibly.

You Should Know:

1. IDOR Vulnerability Testing:

To test for IDOR vulnerabilities, you can use tools like Burp Suite or manually manipulate parameters in URLs. For example:

curl -X GET "https://example.com/user?id=123" -i

Change the `id` value to see if unauthorized data is exposed.

2. Using Termux for Mobile Security Testing:

Termux is a powerful terminal emulator for Android. Install it and use tools like curl, nmap, or `sqlmap` for basic security testing:

pkg install curl
curl -X GET "https://example.com" -i

3. Analyzing HTTP Headers:

Use `curl` to inspect HTTP headers and redirects:

curl -I "https://example.com"

4. Reporting Security Bugs:

Always document your findings with a detailed PoC and report them responsibly to the concerned authorities or the organization.

What Undercode Say:

Security vulnerabilities like IDOR are more common than you think. Always be cautious when handling sensitive data and ensure proper access controls are in place. Here are some additional commands and tools to enhance your security testing skills:

• Linux Command for Network Scanning:

  nmap -sV example.com
  

• Windows Command for Network Diagnostics:

  tracert example.com
  

• SQL Injection Testing:

Use `sqlmap` to test for SQL injection vulnerabilities:

sqlmap -u "https://example.com/user?id=1" --dbs

• Check for Open Ports:

  netstat -tuln
  

Stay curious, stay ethical, and keep learning!

Reference:

• IDOR Vulnerability Explained
• Termux for Android
• Burp Suite for Security Testing

References:

Reported By: Cappriciosecuniversity How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅