Hi there , today I’m gonna share one of my finding over authorization bug . Before jump into details make sure to follow me for upcoming writeups .

I found this bug on India’s biggest e-commerce site (for NDA policy let’s assume it redacted.com) . There’s 2 types of login for users – buyer and seller . Seller login portal is vulnerable to this misconfigured authorization bug.

So ,seller login portal looks like : seller.redacted.com . After creating profile on it , you have to give Display name (basically display name refers to your seller account). One can create more than 1 seller account under his/her profile.

Every time you logged in your profile, you have to choose your seller account to get into seller dashboard .

So , while choosing seller account it doesn’t check authorization properly . If you intercept the request and change seller account name to other person’s seller account , you will get direct access to his/her seller account with admin privilege . That’s what I did .

The vulnerable request while choosing seller account after login looks like :

POST /seller/switchSellerContext? HTTP/1.1
Host: seller.redacted.com
Connection: close
x-user-agent: ********

{"displayName":" seller_display_name "}

To ensure that this bug has real impact , I got into some popular seller accounts 😎 and what’s it looks like ?

Seller Ad revenue

Seller active listing product :

Also it was possible to change these seller accounts bank details without their knowledge/permission , also possible to see customer order details ,and customer delivery address .

All these leads to a critical bug . I reported this bug (severity score 9.8) and got appreciated and rewarded maximum bounty $X,XXX by program.

Thanks for the read , have a good day .