According to developer Sazzad Hussain, millions of Swiggy users at risk. Sazzad managed to download the invoice of any Swiggy order and get sensitive data like name, the exact address of the user, order details, just from an order ID.
“I have already reported the vulnerability to Swiggy but they denied to acknowledge saying this is a known bug,” said Sazzad in a telephonic conversation with The August.
“I can put any random order ID and get details of the user. I can even get the exact location of the user,” he added.
We were able to verify the claims by providing one of our Swiggy order IDs to Sazzad. He sent us the restaurant name, ordered items, and our exact office co-ordinates.