This flaw will let you see the personal details including name, date-of-birth, family member details, PAN card, bank account number, as well as their uploaded documents including signature, address proof, bank statement.
This is a more sophisticated version of the same vulnerability. This example shows how to get full details of any user by phone number programmatically at bulk. For the safety of existing users, I am not writing the steps to reproduce vulnerability at large. Instead, I am writing a captcha protected PoC which can be used to confirm the vulnerability by anybody.
Visit this URL: https://apps.varunagw.com/AngelBroking.php
Test phone number: 9324116954
Here is how you will reproduce it.
- Visit this https://www.angelbroking.com/open-demat-account
- Enter the phone number you want to view details for (it must be already registered with them)
- If they signed up for the platform, you will get all their details and see the documents they uploaded. They don’t do any mobile number OTP verification before showing you the details.
For proof: I created a dummy profile using 9324116954. Try entering this number in the form. Don’t worry it’s an unused phone number from angel broking support team, so no harm to anyone.
This is a direct link to the form generated using the aforementioned phone number
The example shows the account which is not fully created. While I am yet to test for a fully created account, I think it might also work for them too (although with some extra complicated steps).