Here is the PoC app:
https://apps.varunagw.com/AngelBroking.php
Sample user for testing the vulnerability is 9324116954.
This app will work even though the user has completed the signup process completely. Please use only the test phone number or your personal account to test it. Don’t try with any real user without their permission.
I have not open-sourced the code to prevent large-scale attacks at their customer. It’s also captcha protected to prevent automation of the app.
Now the more important part:
I have written to [email protected] as well as two leading websites (NDTV and MoneyControl) a week ago. Nobody has replied to me yet. So Angel Broking doesn’t care about it. And the news website also doesn’t seem to care much to publish.
So my request to all of you is to reach anybody you know at Angel Broking as well as share it on other platforms (like Twitter) to increase awareness. If their signup process is like this, I cannot even comprehend how the rest of the platform is. Looking at their attitude, at this point, I don’t care if Angel Broking get sued or bankrupt in future or their CEO get fired or sent to jail. They deserve it. The attitude of Indian companies towards data security makes me really sad. Please help me in raising awareness.