Critical Security Vulnerability: Unauthenticated Access to /shipments/deleted Endpoint Leads to Data Deletion

About Me

Hi everyone! My name is Satyam Pawale, also known as @hackersatty in the bug bounty world. I started bug hunting in 2024 and have been passionate about finding security vulnerabilities ever since.

This blog is meant to share my experience and help others learn from it. If you like it or have any feedback, feel free to drop a comment below. Let’s get started!

Read Full Article Here, Who Dont have Membership: LINK

Introduction

Security vulnerabilities in web applications can have severe consequences, particularly when they allow unauthorized users to manipulate critical data. In this report, we discuss a major security flaw found in a logistics management platform (referred to as xyz.com), where an unauthenticated endpoint allowed direct deletion of shipment records without requiring any authentication or authorization.

Summary of the Vulnerability

A critical security flaw was identified in the shipment management system of xyz.com. An endpoint (/shipments/deleted) was found to be accessible without authentication, allowing any user to delete shipment records. This vulnerability poses a significant threat as it can be exploited by malicious actors to cause permanent data loss, disrupt logistics, and impact business operations.