User data leakage in QIWI

In short, it is possible to collect a huge amount of data on payments on invoices made in the system. This data includes the purpose of payment, description, amount. And most importantly: the mobile phone number of the payer, which, in some cases, in combination, is the login in the wallet. In descriptions, however, other information is usually also available, which should not be made public, as well as all the previously mentioned.

After waiting, as expected, a sufficient amount of time for the possibility of correction, I decided to submit to the public the leak of confidential data I had found. The study was conducted within the framework of the bugbount program. This report, which is currently more than six months old, is marked as a duplicate, therefore, most likely, the problem remains uncorrected even longer.

I checked everything described below with my wallet, information, unfortunately, is the same. The data is available to anyone who wishes, there are no dependencies for operation, it is carried out by simply sorting the order parameter.
')
Confirm the above with an example. Following the link https://w.qiwi.com/order/external/main.action?order=524928171&phone=12345 , we get the answer:



And looking at the HTML code, we find the phone number of the user who made the payment.



Another example , with the status canceled.



HTML:



And here, besides the mentioned data, there is someone's email, which, by the way, is not googled. This case, at the right time, fits the question of why sometimes spam is sent to private mail or mobile.



Go ahead:



Mail is also not lit. Extract the phone number:



And then confirm the validity of this number and mail at the same time:



Let's google it:



Follow the first link:



And here is the payee in person:



It would seem that there is such a thing, a person conducts commercial activity and does not hide his contact details. Everything is so, if you do not take into account the moment with the postal address, which Konstantin never shone and certainly does not want. For a long time he covered the screenshots and did not publish the link for the safety and tranquility of Kostik.

The last example is just one of the innocuous uses of this data, in addition to promotional mailings that will hit the target accurately, using other information obtained by this method.

I don’t know for sure whether payments made through terminals fall into this leakage, but the numbers are impressive. The range, at the time of sending the report, lay in the approximate interval from 2,000,000,000 to 45,000,000,000. At the moment, the figure has exceeded 578417740 records.

As a surveyor, this “bug” doesn’t surprise me at all. But as an active user of the QIWI wallet, it simply freezes the speed of fixation with which its employees make it.

I hope that with the release of this publication, the company's specialists will start working faster and the user data will be intact.

All good and kivik seals .



UPD Fixed .