IDOR Vulenebility with empty response still exposing sensitive details of customers!

Hello there👋!
For many days I was thinking of sharing my bug bounty experience with the community and finally writing my first write-up.

After basic recon, I started testing functionalities on the main domain.
It was an e-commerce website, say https://redacted.com.

As it was an e-commerce site, there is a shipping address. While updating the address, I noticed that the address_id parameter is the unique ID for each address. I tried IDOR (who dont know what is IDOR, check https://portswigger.net/web-security/access-control/idor), but it validated the session and only gave the respective user’s address. I tried changing the method GET, POST, PUT, but nothing worked.

Then, I clicked on set as default address button, POST request sent on https://redacted.com/c/def_addr with the address_id and got 200 Response with an empty body.

I repeated the same POST request with sequential address_id and got 200 response for that and an empty response body.

After playing with address APIs, There was no success. 😞

I moved to cart and checkout functionality. After clicking on the checkout page, I was redirected to https://redacted.com/payment, and surprise!!

I noticed that there was a different address of some other user! It contains the Customer Name, Full Address, Mobile Number.
So, all user’s addresses and mobile numbers were exposed!

Thank you for reading. As this is my first write-up, suggestions are most welcome.

Connect with me on https://www.linkedin.com/in/rahulvarale/

Cyber Security Researcher | Bug Hunter | Computer Science Student