Decoding the auth header we get
*redacted*:*redacted*
, that’s not my username or password – these are static credentials sent with every request. The only identifiable piece of information left is the URL parametercustomerId
.[…]
Every API request is like this, there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.
And to say the problem was reported about 17 months ago …