Mail.ru , one of the tech giants of Russia had a bug resolved in its ZakaZaka platform . The bug was described to be a Business Logic Error in ZakaZaka’s SMS code for a phone number change, which can be obtained by brute force attacks. Mail.ru rewarded the bug hunter who disclosed this bug and rated this as a medium severity bug.
SMS Vulnerability in ZakaZaka
ZakaZaka is Russia’s second-largest food delivery platform after Delivery Club , both owned by Mail.ru , which is one of the largest internet companies in Russia. Mail.ru also owns Russia’s largest social media – VK .
A bug hunter named Novovolynsk ( Moonwalker ) has disclosed a bug in ZakaZaka’s SMS mechanism to Mail.ru on June 18th this year, to which the company has rewarded him $150 the very next month. While Mail.ru didn’t clearly describe the bug until now, a request by one of the users at HackerOne to Novovolynsk has revealed the bug details .
https://t.co/pkOyhwSTRP disclosed a bug submitted by moonwalker: https://t.co/iSRxbOI5eH – Bounty: $150 #hackerone #bugbounty pic.twitter.com/NG4AnQE8fv — publiclyDisclosed (@disclosedh1) December 9, 2020
