Part 3/7:

As researchers began examining the MCD Delivery system, they discovered various alarming vulnerabilities. Not only could hackers place orders for a mere one rupee (approximately one US cent), but they could also redirect other users’ deliveries, view customer details, and retrieve sensitive information linked to drivers via unprotected API calls.

The Vulnerability Breakdown

The analysis delved deep into the app's functionality, revealing a range of severe flaws, including:

Broken Object Level Authorization: This issue allowed a researcher to view details of various orders simply by manipulating order IDs incrementally. By changing URLs, any order's statuses and details could be accessed, showcasing a lack of security measures at the critical point of authorization.