Yes this time it is Findmyfare.com

Recently I found two issues in Findmyfare website. So as usual I reported the issues. Unlike Dialog & Mobitel, Findmyfare was very responsive & took it very seriously. Within few hours after I reported issues, they deployed 1st issue fix & a patch for the 2nd issue (Not exactly a fix, but data leaking issue was gone).

In this blog post I will explain what were those two issues.

First issue

This looks more like a mistake. But this kind of mistake can be easily identify from code reviewing (Not sure they do code review or not). Anyway the issue was, they returned account activation url to frontend once user register in their system.

So someone could register in Findmyfare.com with a random email address which is not belong to that user, and get his account activated using activation url return from register API response. He doesn’t need to have access to the Verify Account email because of this issue. Not that serious because of Findmyfare business model but something they could noticed easily.

Second issue

This one is bit more serious. Everytime you book a flight using Findmyfare as a logged in user, they save your traveller data in their db. If you book for multiple people, all those traveller information get saved. You can see those saved traveller information from Findmyfare user profile page.

And then you can edit traveller information, so next time when you book a flight edited information will be applied.

When a user click edit button & open popup, frontend fetch traveller information from backend to popupate fields.

Endpoint information

POST https://www.findmyfare.com/account/user_co_traveller/re_populate

Body
id - traveller_id
csrf_fmf_secure - some token

Only logged in users can call this endpoint, Findmyfare uses a cookie based authentication for this. But they missed to authorize the user requesting traveller data. Basically any logged in user of Findmyfare could request any traveller information because Findmyfare didn’t check whether traveller data requested by the user actually belong to that user or not. So this endpoint leaked an entire database table of Findmyfare system.

How big was the issue

There are currently more than 75,000 traveler data in Findmyfare system. Could be a nice set of data for a travel agency in Sri Lanka to do marketing. That user data includes,

traveler id
user id
user type
first_name
last_name
date of birth
mobile number
email
address
country
passport
passport issue place
passport expiry date
frequent flyer airline
frequent flyer no
meal preference
preferred seat
price range

They added a patch to this re_populate API & now it doesn’t return any user data even though traveler data belong to logged in user. Hopefully they will enable this endpoint to return user data, but only traveler data belong to logged in user.

Cheers,
DilumN

Comments