Headline
CVE-2023-47392: Mercedes me IOS APP has the vulnerability of exceeding the authority to add shopping cart orders and query shopping cart contents
An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the carts of other users via sending a crafted add order request.
Mercedes me IOS APP has the vulnerability of exceeding the authority to add shopping cart orders and query shopping cart contents
Vulnerability description: Mercedes me IOS APP has the vulnerability of increasing shopping cart orders and querying shopping cart contents beyond its authority.
An attacker can bypass the APP’s authentication mechanism by constructing a specific request to add shopping cart orders and query the contents of the cart as another user.
Since these operations are often subject to strict authentication, such overreach can lead to serious security issues.
In addition, since the shopping cart may contain the user’s personal information and sensitive data, such an unauthorized query may lead to the disclosure of the user’s privacy.
At the same time, the attacker can also obtain the user’s shopping habits and preferences in this way, and further conduct targeted fraud activities.
---------------------------------------------------
Affected version: APP version <=1.34.0
----------------------------------------------------
Test tool: iPhone 13 Pro-ios 16.6.1+Burp Suite
----------------------------------------------------
Vulnerability verification
We can Query the user who just added the cart by changing our default VIN to the Query vulnerability URL
----------------------------------------------------
Add: You can view the number of items in your cart without permission
Change the VIN in the request package