www.secretescapes.com URL parameter tampering

Website:

https://www.secretescapes.com/payment/directSuccessVoucher/INCREMENT_ID_OF_THE_VOUCHER - in the summary page, which was related with any type of the sold voucher, where INCREMENT_ID_OF_THE_VOUCHER was any next integer

Description:

Summary payment page of the voucher wasn’t properly secured - it should be visible only for the client which was an owner of the specified voucher. Unfortunatelly it could be rendered even by not logged user.

Attacker was able to render summary payment page of any voucher just by changing URL parameter at the end of the request (e.g. https://www.secretescapes.com/payment/directSuccessVoucher/61385) and after that he was able to read the voucher code (QTDGJ*****) of that sold voucher:

Voucher code visible on the example voucher's summary page

It could lead to exploitation vouchers’ codes which belong to other clients by an attacker and hipothetical double, financial loss by the vendor.

Timeline:

- 04-04-2017: Discovered
- 04-04-2017: Vendor notified
- 05-04-2017: Issue resolved