Part 4/7:
Mass Assignment Vulnerabilities: Further investigation uncovered that not only could researchers view orders, but they could also manipulate order properties, including prices. The researcher discovered that by sending a request to update the order price to an impossible low of one rupee, they were still accepted, enabling a successful checkout process.
Lack of Sensitive Data Protection: Another significant flaw involved APIs exposing personal information about delivery drivers, including their names, license plate numbers, and contact details. This data provided access to private information without proper safeguards, raising clear security concerns for driver safety.