Last year, I discovered multiple significant security flaws in the Taiwanese customer support platform of Realme, a big Chinese smartphone manufacturer owned by OPPO. These issues exposed both customer data and internal support accounts, creating a dangerous combination of risks. The platform is now unreachable, so it is time for a writeup.
The first issue was found in the customer support API hosted on a server belonging to the manufacturer. The API, which lacked proper authorization mechanisms, allowed anyone to access customer support tickets simply by visiting a specific URL. This meant that an attacker could view sensitive customer information without needing any form of authentication.
The API endpoint in question was structured as follows:
https://[HOST]/api/orders/[NUM]/messages?accept=true
Here, [NUM] represented a unique identifier for a support ticket. By substituting [NUM] with a random or sequential number, an attacker could retrieve detailed information about any customer support ticket.
Exploiting this vulnerability was alarmingly straightforward:
https://[HOST]/api/orders/[NUM]/messages?accept=true[NUM] with a valid ticket ID (which could be guessed or brute-forced).For example, visiting https://[HOST]/api/orders/21480/messages?accept=true would return the details of a specific support ticket, including the customer’s email address, full name, phone number, and the products they had purchased.
This was a clear case of a major customer data leak, exposing:
In addition to the API flaw, I identified a blind cross-site scripting (XSS) vulnerability in the platform’s support messaging system.
Incoming emails and Facebook messages from customers were automatically integrated into the internal ticketing system. By sending a maliciously crafted email containing a blind XSS payload, an attacker could cause their payload to execute in the browser of any support engineer who viewed the ticket.