Payment receipt disclosure (Instamojo)
Hello, My fellow readers So while searching for bounty programs i came across Instamojo (it is a payment portal) in India. i thought , at first why not give it a try and lets see if i can find something interesting But Best part of this is that i found it in the first step i,e. Recon. so i started with some Google-fu (dorking , and that's where i got my alias.) after few dorkings i came across a pdf which is actually a book sold by "I*** Foundation" and the crawler found it. so this is the url https://www.instamojo.com/payment/status/MOJO5b*********/?token=<token here>&expired=true so , only the right owner can view the reciept of this book who buyed it. I looked if i can bypass it and then my view shifted to "expired=true" parameter , after i changed the "true" to "false" , i was in and can view the reciept. Payment ID MOJO5b0********* Paid to I**** Foundation Paid on Nov 09, 2015 at 9:52am ............