Unauthorized access to orders by travel users leads to leakage of a large amount of sensitive information (including ID cards)

Unauthorized access to orders by travel users leads to leakage of a large amount of sensitive information (including ID cards)

Access control measures are not implemented, so that users can access all other orders without authorization, resulting in leakage of Order names, mobile phone numbers, ID cards, and other sensitive information.

0x00: register with a mobile phone

0x01: query the order location after Logon

Http://www.gzl.com.cn/b2c-web/member/order/201511260000289/Tour.html

Where 201511260000289 is the order number

You can modify this value to query the orders of other people without authorization. The order number is composed of a date + 7 digits.

You can randomly change the number to find the order of another person.

0x02: Consequence

1) leakage of sensitive information such as ID card, mobile phone number, email address, and travel

2) from the order number, we can guess the daily order volume, which seems to be the number of orders and the order amount of the travel service.

In order to test the idea, I tried it. In November 25, 2015, the order volume was 275 orders.

Serious statement: I just ran the order for the day, did not save the order data, and did not count the order amount. I just checked the order volume for the day, and did not read anything else. I promise.

Solution:

1) Can I verify the permission before accessing the query order?

2) I am still very interested in tourism products. Because I often buy tourism products on top, I don't know how many times my information has been sold ~~ . Most importantly, I did not see the order deletion function, so that all my information was exposed to the public. I was forced to submit the vulnerability and hoped to fix it quickly.