Comment by NichoPaolucci
7 hours ago
I saw a team build some payment software a while ago that had a similar, if not exact, vulnerability. If someone had enough time / effort to figure out a not-super-unique ID (Something like 2456733), they could acccess the payment portal for an order.
I notified them and they said that this was noted, skipped, and they didn't believe it was an issue. Worst case scenario an attacker could... Pay for someone elses order, if this happened the attacker would be found by their payment details. Likewise on the payment screen they only see the order's total, nothing about the customer, nothing else about the order, just the total. So - I'm not sure. Maybe they're right?
I just shrugged. I would've patched it, feels like poor design and is easy enough to fix - but I couldn't really argue other than to say it felt sloppy.
But it's such an easy vulnerability to avoid, that if they're not avoiding it you have to ask what else did they gloss over in their system? "Felt sloppy" is exactly right, and the assumption should therefore be that the entire system is sloppy.