Myntra’s Privacy Hack [Your Invoice Open to Public]

Myntra had a privacy plug that enabled anybody to view other user’s credentials (address/email/mobile/order amount etc) by just playing with the invoice url.

Basically, if you have every bought anything from Myntra, you would be aware of the Invoice URL :
http://www.myntra.com/order_invoice.php?orderid=somenumber&t=u

All you need to do is to play with the order id (any 5 digit number would do) and you can see the entire invoice details! (and you don’t even need to sign-in for the same)

Myntra Invoice - Up for Hacks

So essentially, if you ever bought anything from the site, your personal data was public and open to spammers/harvesters what’er.

We were aware of this issue since the last ~3 days (Raxit found this out) , but chose not to talk about this, unless the issue was fixed.

I believe these are serious issues that deters Indian users to even click on e-commerce sites. Apart from lip service (like https secured connection/digital signature), do you think there needs to be a set of checks that one should comply to before you even start selling your products online?

And what about ecommerce sites that fail to comply to these? Fine them?

Sadly, the updated IT Act Amendment Bill too doesn’t have any provision for privacy issues.

What’s your though on this?

pic credit: raxit, another pic

Sign Up for Our Newsletters

Get smarter with most important stories.

You May Also Like