Our team occasionally scans APIs for various customer and research purposes, or in connection with a specific request. As we do this, we sometimes find vulnerabilities from third-party organizations. This article is part of an ongoing series of posts following some API vulnerabilities FireTail researchers have uncovered in the process…
An unauthenticated API belonging to a fast food company exposed receipts from all of its stores in India. Delivery receipts included PII such as full names, phone numbers, and physical addresses.
The fast food company uses an e-receipt system. The vulnerability was lying in the way the login panel was functioning, resulting in authentication bypass.
This resulted in exposing API endpoints which could be requested without authentication to get the receipts of hundreds of stores in India. Many of those receipts were delivery receipts that contained PII such as full names, phone numbers and physical addresses.
The issue was reported on August 07, 2023 and it seems now fixed.