On the website of online furniture retailer Pepperfry, a serious security weakness was discovered that might have allowed individuals to sign in to the accounts of other registered customers.
In an exclusive interview with Moneycontrol, the organisation explained that the problem may allow a user to log into the account of another user or even create a brand-new account for any user that doesn't already exist.
The 'Internal Authentication' Application Program Interface (API) on the website, which allowed users to auto-login, contained a bug.
The same API displayed user personal data such as name, address, contact information, etc.
TPRM report: https://scoringcyber.rankiteo.com/company/pepperfry
"id": "pep155913423",
"linkid": "pepperfry",
"type": "Data Leak",
"date": "09/2019",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'E-commerce',
'name': 'Pepperfry',
'type': 'Online Furniture Retailer'}],
'attack_vector': 'Exploiting API vulnerability',
'data_breach': {'personally_identifiable_information': ['name',
'address',
'contact information'],
'type_of_data_compromised': ['Personal Information']},
'description': 'A serious security weakness was discovered on the website of '
'online furniture retailer Pepperfry that might have allowed '
'individuals to sign in to the accounts of other registered '
'customers.',
'impact': {'data_compromised': ['name', 'address', 'contact information'],
'systems_affected': ['Internal Authentication API']},
'initial_access_broker': {'entry_point': 'Internal Authentication API'},
'post_incident_analysis': {'root_causes': 'Bug in Internal Authentication '
'API'},
'references': [{'source': 'Moneycontrol'}],
'title': 'Pepperfry Security Weakness',
'type': 'Authentication Vulnerability',
'vulnerability_exploited': 'Internal Authentication API bug'}