Perceptions of Indian E-commerce Companies About Security And Ethical Disclosures?

I am not a great hacker. But i found some flaws on ecommerce website which is very common even among the top tier ecommerce merchants in India. I have reported all the below in an ethical way to their security teams / founders. Here are the reponses from them just fYI to know how ecommerce companies in India care about their system and security.

The error

A simple error that every programmer makes, focuses on client side validation but no server side validation. Simply the shopping cart system accepts negated quantity values leading to lesser cart amount.

I have reported the same to three ecommerce merchants.

  1. Myntra – Took the issue very seriously accepted that its an issue on their system and solved on high priority. Gave me a bounty for reporting 🙂 too
  2. Snapdeal – According to snapdeal that was no issue at all. The security team mailed me saying  The orders are not fulfilled in these cases
  3. Yepme – All the reports vanished into thin air and issue still exists

Here are the responses from each

Myntra

Myntra’s security team got in touch in 10-20 mins. They asked for a clear definition of what it is. Got an email from Abhinav, the AVP – Product engineering from Myntra appreciating the ethical disclosure and assured some bounty. They solved the issues in a day. Got teh appreciation message from Myntra CTO Mr. Shaimik Sharma and he told they are always happy to hear about such disclosure which make them improve. They took it serious as they clearly understood that if its widely done then it can affect their complete stock calculations, even though their fraud protection systems will catch the very low order values of highly valued products. Also after solving the issues they cancelled the order and all cashback and points in my account was reversed with negative values which in turn pointed some flaws there too.  This is how Myntra.com dealt with it giving the error on their system an importance and solving it on high priority.

Attaching some screenshots for your ref:

1174678_576027065798509_459529598_n 1234814_576346319099917_2105096150_n 1385755_576029745798241_827949779_n 1386004_576352005766015_385497955_n 1391739_576346329099916_529183244_n 1393357_576027019131847_220627905_n

 

Snapdeal

According to snapdeal that was no issue at all. The security team mailed me saying   The orders are not fulfilled in these cases, let us know if you could have the order fulfilled. We already have checks to handle these cases.

Areeee… Yaar i was not reporting that people can purchase and the order is fulfilled i was reporting some issue which could mess up your system. Its your systems fault!. A flaw in an ecommerce system doesnt mean that you can always purchase something for free 😛

And the funny n best part is they didnt accept that as the error in their system. but they solved for it. – Aree yaar you should have admitted that,  i never demanded any chocolates from you as bounty :-p

Screenshots:

snapdeal2 snapdeal1Screenshot_14

Yepme

 

No response at all and the issue still exists

 

 An error never means that you have loss of money, data or performance. It simply means a fault in your code !

A very few accepts the ethical disclosures in India. If we do a hack and make it public then its a big deal. Owise most of them are even not cared to reply!.

So Dear XXX & YYY, It not a BOUNTY that make such reporters happy , A kind word of acceptance is something they value more.

4 Comments

  1. The first two sites u mentioned are giving me a hard time. my a/c have been hacked on both and an order has been placed on each on different days. contacted CS but their response is very slow. The email notifications continue to flood my inbox saying – order is placed, shipped,delivered etc. Despite the fact that CS have been requested to delete the a/c, continuation of email chain of notifications suck! Shyam, is there is solution to this problem from customer’s perspective? any help is much appreciated.

    Reply

Leave a Comment.