[Glovo] Integer overflow vulnerability
Original Post:
We discussed this vulnerability during Episode 147 on 23 May 2022
Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries. The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order. For example, the researcher places an order for two different items, 1 of each. They then edit the request to change the quantities to 2299922 and 2499999, which when used to calculate the price, results in a price lower than it was for the two items at one each.