Hi Guys,

I'm Karthikeyan.V, a passionate Ethical Hacker and Cyber Security Researcher. During the recent Pongal holidays, I visited my grandma's house to spend time with family. While helping her clean up her phone, I stumbled upon a message about paying her Chennai Metro Water tax. Curious, I clicked the link, and to my surprise, the page opened without any authentication, displaying her name, mobile number, address, and payment amount.

Initial Observation

This unexpected access to personal information caught my attention. Despite not having my laptop, I decided to investigate further using just my mobile phone. I noticed the URL didn't contain any visible parameters but had a short alphanumeric string appended to the domain, like:


    https://example.com/code

Digging Deeper

Using the Termux app on my phone, I sent a simple curl request to inspect the response headers:


    curl -X GET "https://example.com/code" -i

The response revealed a redirect header pointing to another URL, such as:


    https://example.com/param?id=12345

Following this redirect, I observed a POST request to an endpoint with the id parameter. The response returned a JSON object containing sensitive information, including:

  • Name
  • Address
  • Mobile number
  • Email ID
  • Payment history
  • Balance amount
  • VIP status
  • And more

The Shocking Discovery

Curious about the system's security, I modified the id parameter to a random value and sent the same POST request. Shockingly, I was able to access another person's sensitive information. Realizing the severity, I immediately stopped testing and documented my findings.

Reporting the Bug

The next day, I returned to my office, prepared a detailed Proof of Concept (PoC), and reported the issue to the Government of India. This wasn't just one bug—I uncovered two critical IDOR (Insecure Direct Object Reference) vulnerabilities that could expose the personal information of thousands of Chennai residents.

Final Thoughts

This experience highlighted the importance of securing applications, especially those handling sensitive personal data.

Disclaimer

To maintain ethical standards and protect user privacy, I am not disclosing any specific technical details or personal data in this write-up.

Purpose of This Write-Up

My intention in sharing this story is to raise awareness and emphasize the importance of secure application development. Together, we can make the digital world safer.

Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!