Jumper is an e-commerce enabler that helps you to sell your products instantly on social media with comments. As soon as users comment on your posts it sends them an auto message with all the product details. Users can instantly pay and checkout within the messaging app itself.
They currently support posts on Facebook, Instagram, Twitter and Youtube and Facebook and can message users on Facebook Messenger, Twitter DM and SMS.
A few days back one of my companions from India sent me a screenshot of himself featured in Jumper's about page. I got inquisitive to know further. After asking him, he disclosed to me that he revealed security weaknesses in their web application to them and they offered to mention him in their About page. I figured how I can miss this open door.
I visited Jumper in that surety that I established bugs and I am prepared to reach them. Before doing a single security test I informed them through their site's online chat box that I established security vulnerabilities and what's the procedure of responsible disclosure policy. At that point, I got a confident answer from them and wanted to test their site.
I did a security test for more than an hour and I established a couple of vulnerabilities few have high effects and few have medium. I revealed these security issues to them one by one. Security issues I established were:
- Broken Authentication and Session Management Flaw (Cookie Replay).
- Cross-Site Script Forgery (CSRF) in the Business address form.
- Stored Cross-Site Scripting (XSS) Admin to Admin.
- Clickjacking / UI Redressing and few more.
After a couple of hours, they reacted to one of the emails. As it's not a vast organization so perhaps it'll take more time for them to discharge a fix. Well, it was my birthday fourth September and instead of partying I am making the internet safe and secure.
Impressive Isn't it? Following two weeks or less, I approached them for updates and they responded that they made a fix for critical ones and will be updated soon as possible.
I pinged them my Display picture and in the next couple of hours I was recorded in their site About (Contributors) page and it was brilliant. It was the best experience ever in Information Security. I truly appreciate the Jumper support team for good taking care of these reports and they are anticipating work with me in future too.
Thanks to the Jumper team and I would also like to thank you for your precious time. If you have any questions or suggestions then please use the comment form below and let me know. I always appreciate your comments and suggestions.